[iptables PATCH 0/9] Improve testsuites' code coverage

[iptables PATCH 0/9] Improve testsuites' code coverage

[Phil Sutter]

First patch adds support to conveniently build with profiling support
for coverage analysis using 'gcov'.

Patches 2-5 Improve results by extending test cases.

Patch 6 is fallout, fixes a segfault when trying to use --init-table
in input to ebtables-restore.

The remaining patches improve string match printing and parsing and
enable previously commented out tests.

Phil Sutter (9):
  Makefile: Add --enable-profiling configure option
  tests: shell: Add some more rules to 0002-verbose-output_0
  tests: shell: Extend iptables-xml test a bit
  tests: shell: Extend zero counters test a bit further
  extensions: libebt_standard.t: Test logical-{in,out} as well
  ebtables-restore: Deny --init-table
  extensions: string: Do not print default --to value
  extensions: string: Review parse_string() function
  extensions: string: Fix and enable tests

 .gitignore                                    |  4 ++++
 configure.ac                                  | 10 +++++++++
 extensions/GNUmakefile.in                     |  2 +-
 extensions/libebt_standard.t                  |  5 +++++
 extensions/libxt_string.c                     | 17 +++++++--------
 extensions/libxt_string.t                     | 21 +++++++------------
 iptables/Makefile.am                          |  1 +
 .../testcases/ip6tables/0002-verbose-output_0 | 15 +++++++++++++
 .../testcases/ipt-save/0006iptables-xml_0     | 10 +--------
 .../testcases/iptables/0007-zero-counters_0   | 15 +++++++++++++
 iptables/xtables-eb.c                         |  3 +++
 libipq/Makefile.am                            |  1 +
 libiptc/Makefile.am                           |  1 +
 libxtables/Makefile.am                        |  1 +
 utils/Makefile.am                             |  1 +
 15 files changed, 74 insertions(+), 33 deletions(-)

-- 
2.34.1

[iptables PATCH 1/9] Makefile: Add --enable-profiling configure option

[Phil Sutter]

A little convenience to prepare a build for analysis with gcov/gprof.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 .gitignore                |  4 ++++
 configure.ac              | 10 ++++++++++
 extensions/GNUmakefile.in |  2 +-
 iptables/Makefile.am      |  1 +
 libipq/Makefile.am        |  1 +
 libiptc/Makefile.am       |  1 +
 libxtables/Makefile.am    |  1 +
 utils/Makefile.am         |  1 +
 8 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index e55952642ed0d..a206fb4870bc8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,8 @@
 *.a
+*.gcda
+*.gcno
+*.gcno.gcov.json.gz
+*.gcov
 *.la
 *.lo
 *.so
diff --git a/configure.ac b/configure.ac
index 071afaf1515de..ea5d2d49112a3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -71,6 +71,9 @@ AC_ARG_WITH([xt-lock-name], AS_HELP_STRING([--with-xt-lock-name=PATH],
 	[Path to the xtables lock [[/run/xtables.lock]]]),
 	[xt_lock_name="$withval"],
 	[xt_lock_name="/run/xtables.lock"])
+AC_ARG_ENABLE([profiling],
+	AS_HELP_STRING([--enable-profiling], [build for use of gcov/gprof]),
+	[enable_profiling="$enableval"], [enable_profiling="no"])
 
 AC_MSG_CHECKING([whether $LD knows -Wl,--no-undefined])
 saved_LDFLAGS="$LDFLAGS";
@@ -188,6 +191,11 @@ if [[ -n "$ksourcedir" ]]; then
 fi;
 pkgdatadir='${datadir}/xtables';
 
+if test "x$enable_profiling" = "xyes"; then
+	regular_CFLAGS+=" -fprofile-arcs -ftest-coverage"
+	regular_LDFLAGS+=" -lgcov --coverage"
+fi
+
 define([EXPAND_VARIABLE],
 [$2=[$]$1
 if test $prefix = 'NONE'; then
@@ -205,6 +213,7 @@ eval "$2=[$]$2"
 AC_SUBST([regular_CFLAGS])
 AC_SUBST([regular_CPPFLAGS])
 AC_SUBST([noundef_LDFLAGS])
+AC_SUBST([regular_LDFLAGS])
 AC_SUBST([kinclude_CPPFLAGS])
 AC_SUBST([kbuilddir])
 AC_SUBST([ksourcedir])
@@ -250,6 +259,7 @@ Iptables Configuration:
   nfsynproxy util support:		${enable_nfsynproxy}
   nftables support:			${enable_nftables}
   connlabel support:			${enable_connlabel}
+  profiling support:			${enable_profiling}
 
 Build parameters:
   Put plugins into executable (static):	${enable_static}
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 6dad4e02481bd..3c68f8decd13f 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -24,7 +24,7 @@ kinclude_CPPFLAGS  = @kinclude_CPPFLAGS@
 AM_CFLAGS       = ${regular_CFLAGS}
 AM_CPPFLAGS     = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_builddir} -I${top_srcdir}/include -I${top_srcdir} ${kinclude_CPPFLAGS} ${CPPFLAGS} @libnetfilter_conntrack_CFLAGS@ @libnftnl_CFLAGS@
 AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
-AM_LDFLAGS      = @noundef_LDFLAGS@
+AM_LDFLAGS      = @noundef_LDFLAGS@ @regular_LDFLAGS@
 
 ifeq (${V},)
 AM_LIBTOOL_SILENT = --silent
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index 0258264c4c705..23f8352d30610 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -2,6 +2,7 @@
 
 AM_CFLAGS        = ${regular_CFLAGS}
 AM_CPPFLAGS      = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir} ${kinclude_CPPFLAGS} ${libmnl_CFLAGS} ${libnftnl_CFLAGS} ${libnetfilter_conntrack_CFLAGS}
+AM_LDFLAGS       = ${regular_LDFLAGS}
 
 BUILT_SOURCES =
 
diff --git a/libipq/Makefile.am b/libipq/Makefile.am
index 9e3a2ca6c42e2..2cdaf32e03292 100644
--- a/libipq/Makefile.am
+++ b/libipq/Makefile.am
@@ -2,6 +2,7 @@
 
 AM_CFLAGS = ${regular_CFLAGS}
 AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include
+AM_LDFLAGS = ${regular_LDFLAGS}
 
 libipq_la_SOURCES = libipq.c
 lib_LTLIBRARIES   = libipq.la
diff --git a/libiptc/Makefile.am b/libiptc/Makefile.am
index 464a069628f0c..097842f212bb5 100644
--- a/libiptc/Makefile.am
+++ b/libiptc/Makefile.am
@@ -2,6 +2,7 @@
 
 AM_CFLAGS        = ${regular_CFLAGS}
 AM_CPPFLAGS      = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CPPFLAGS}
+AM_LDFLAGS       = ${regular_LDFLAGS}
 
 pkgconfig_DATA      = libiptc.pc libip4tc.pc libip6tc.pc
 
diff --git a/libxtables/Makefile.am b/libxtables/Makefile.am
index 3bfded8570e08..2f4a12e571b9b 100644
--- a/libxtables/Makefile.am
+++ b/libxtables/Makefile.am
@@ -2,6 +2,7 @@
 
 AM_CFLAGS   = ${regular_CFLAGS}
 AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables -I${top_srcdir} ${kinclude_CPPFLAGS}
+AM_LDFLAGS  = ${regular_LDFLAGS}
 
 lib_LTLIBRARIES       = libxtables.la
 libxtables_la_SOURCES = xtables.c xtoptions.c getethertype.c
diff --git a/utils/Makefile.am b/utils/Makefile.am
index 42bd973730194..327a29e028c4d 100644
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -3,6 +3,7 @@
 AM_CFLAGS = ${regular_CFLAGS}
 AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include \
               -I${top_srcdir}/include ${libnfnetlink_CFLAGS}
+AM_LDFLAGS = ${regular_LDFLAGS}
 
 sbin_PROGRAMS =
 pkgdata_DATA =
-- 
2.34.1

[iptables PATCH 2/9] tests: shell: Add some more rules to 0002-verbose-output_0

[Phil Sutter]

This increases coverage of function print_match() from 0 to 86.6%.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 .../testcases/ip6tables/0002-verbose-output_0     | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 b/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0
index 7b0e64686c6b6..7624cbab655ad 100755
--- a/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0
+++ b/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0
@@ -9,12 +9,24 @@ RULE1='-i eth2 -o eth3 -s feed:babe::1 -d feed:babe::2 -j ACCEPT'
 VOUT1='ACCEPT  all opt    in eth2 out eth3  feed:babe::1  -> feed:babe::2'
 RULE2='-i eth2 -o eth3 -s feed:babe::4 -d feed:babe::5 -j ACCEPT'
 VOUT2='ACCEPT  all opt    in eth2 out eth3  feed:babe::4  -> feed:babe::5'
+RULE3='-p icmpv6 -m icmp6 --icmpv6-type no-route'
+VOUT3='  ipv6-icmp opt    in * out *  ::/0  -> ::/0   ipv6-icmptype 1 code 0'
+RULE4='-m dst --dst-len 42 -m rt --rt-type 23'
+VOUT4='  all opt    in * out *  ::/0  -> ::/0   dst length:42  rt type:23'
+RULE5='-m frag --fragid 1337 -j LOG'
+VOUT5='LOG  all opt    in * out *  ::/0  -> ::/0   frag id:1337 LOG flags 0 level 4'
 
 diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -A FORWARD $RULE1)
 diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -I FORWARD 2 $RULE2)
+diff -u -Z <(echo -e "$VOUT3") <($XT_MULTI ip6tables -v -A FORWARD $RULE3)
+diff -u -Z <(echo -e "$VOUT4") <($XT_MULTI ip6tables -v -A FORWARD $RULE4)
+diff -u -Z <(echo -e "$VOUT5") <($XT_MULTI ip6tables -v -A FORWARD $RULE5)
 
 diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -C FORWARD $RULE1)
 diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -C FORWARD $RULE2)
+diff -u -Z <(echo -e "$VOUT3") <($XT_MULTI ip6tables -v -C FORWARD $RULE3)
+diff -u -Z <(echo -e "$VOUT4") <($XT_MULTI ip6tables -v -C FORWARD $RULE4)
+diff -u -Z <(echo -e "$VOUT5") <($XT_MULTI ip6tables -v -C FORWARD $RULE5)
 
 EXPECT='Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination
@@ -23,6 +35,9 @@ Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination
     0     0 ACCEPT     all      eth2   eth3    feed:babe::1         feed:babe::2
     0     0 ACCEPT     all      eth2   eth3    feed:babe::4         feed:babe::5
+    0     0            ipv6-icmp    *      *       ::/0                 ::/0                 ipv6-icmptype 1 code 0
+    0     0            all      *      *       ::/0                 ::/0                 dst length:42  rt type:23
+    0     0 LOG        all      *      *       ::/0                 ::/0                 frag id:1337 LOG flags 0 level 4
 
 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination'
-- 
2.34.1

[iptables PATCH 3/9] tests: shell: Extend iptables-xml test a bit

[Phil Sutter]

Call with --combine as well, even though output doesn't differ. Also
there's no need to skip for xtables-nft-multi, it provides the same
functionality.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 .../tests/shell/testcases/ipt-save/0006iptables-xml_0  | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 b/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0
index 50c0cae888341..bcfaad36f1249 100755
--- a/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0
+++ b/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0
@@ -1,13 +1,5 @@
 #!/bin/bash
 
-case "$(basename $XT_MULTI)" in
-	xtables-legacy-multi)
-		;;
-	*)
-		echo "skip $XT_MULTI"
-		exit 0
-		;;
-esac
-
 dump=$(dirname $0)/dumps/fedora27-iptables
 diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml <$dump)
+diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml -c <$dump)
-- 
2.34.1

[iptables PATCH 4/9] tests: shell: Extend zero counters test a bit further

[Phil Sutter]

Test zeroing a single rule's counters as well.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 .../shell/testcases/iptables/0007-zero-counters_0 | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
index 36da1907e3b22..2179347200854 100755
--- a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
+++ b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
@@ -10,6 +10,7 @@ $XT_MULTI iptables-restore -c <<EOF
 [12:345] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
 [22:123] -A FOO -m comment --comment one
 [44:123] -A FOO -m comment --comment two
+[66:123] -A FOO -m comment --comment three
 COMMIT
 EOF
 EXPECT="*filter
@@ -20,6 +21,7 @@ EXPECT="*filter
 [0:0] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
 [0:0] -A FOO -m comment --comment one
 [0:0] -A FOO -m comment --comment two
+[0:0] -A FOO -m comment --comment three
 COMMIT"
 
 COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
@@ -28,6 +30,18 @@ if [ $COUNTER != "[12:345]" ]; then
 	RC=1
 fi
 
+$XT_MULTI iptables -Z FOO 2
+COUNTER=$($XT_MULTI iptables-save -c | grep "comment two"| cut -f 1 -d " ")
+if [ $COUNTER != "[0:0]" ]; then
+	echo "Counter $COUNTER is wrong, should have been zeroed"
+	RC=1
+fi
+COUNTER=$($XT_MULTI iptables-save -c | grep "comment three"| cut -f 1 -d " ")
+if [ $COUNTER != "[66:123]" ]; then
+	echo "Counter $COUNTER is wrong, should not have been zeroed"
+	RC=1
+fi
+
 $XT_MULTI iptables -Z FOO
 COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
 if [ $COUNTER = "[0:0]" ]; then
@@ -60,5 +74,6 @@ fi
 $XT_MULTI iptables -D INPUT -i lo -p icmp -m comment --comment "$COUNTR"
 $XT_MULTI iptables -D FOO -m comment --comment one
 $XT_MULTI iptables -D FOO -m comment --comment two
+$XT_MULTI iptables -D FOO -m comment --comment three
 $XT_MULTI iptables -X FOO
 exit $RC
-- 
2.34.1

[iptables PATCH 5/9] extensions: libebt_standard.t: Test logical-{in,out} as well

[Phil Sutter]

These weren't used anywhere before. At least ensure they are only
allowed where claimed.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/libebt_standard.t | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/extensions/libebt_standard.t b/extensions/libebt_standard.t
index c6c3172748d7b..97cb3baaf6d21 100644
--- a/extensions/libebt_standard.t
+++ b/extensions/libebt_standard.t
@@ -12,12 +12,17 @@
 :INPUT
 -i foobar;=;OK
 -o foobar;=;FAIL
+--logical-in br0;=;OK
+--logical-out br1;=;FAIL
 :FORWARD
 -i foobar;=;OK
 -o foobar;=;OK
+--logical-in br0 --logical-out br1;=;OK
 :OUTPUT
 -i foobar;=;FAIL
 -o foobar;=;OK
+--logical-in br0;=;FAIL
+--logical-out br1;=;OK
 :PREROUTING
 *nat
 -i foobar;=;OK
-- 
2.34.1

[iptables PATCH 6/9] ebtables-restore: Deny --init-table

[Phil Sutter]

Allowing this segfaults the program. The deny is in line with legacy
ebtables, so no point in implementing support for that.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xtables-eb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 3d15063e80e91..b986fd9e84799 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -1077,6 +1077,9 @@ print_zero:
 			flags |= LIST_MAC2;
 			break;
 		case 11: /* init-table */
+			if (restore)
+				xtables_error(PARAMETER_PROBLEM,
+					      "--init-table is not supported in daemon mode");
 			nft_cmd_table_flush(h, *table, false);
 			return 1;
 		case 13 :
-- 
2.34.1

[iptables PATCH 7/9] extensions: string: Do not print default --to value

[Phil Sutter]

Default value is UINT16_MAX, not 0. Fix the conditional printing.

Fixes: c6fbf41cdd157 ("update string match to reflect new kernel implementation (Pablo Neira)")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/libxt_string.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index 739a8e7fd66b6..da05fad0f59c8 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -269,7 +269,7 @@ string_print(const void *ip, const struct xt_entry_match *match, int numeric)
 	printf(" ALGO name %s", info->algo);
 	if (info->from_offset != 0)
 		printf(" FROM %u", info->from_offset);
-	if (info->to_offset != 0)
+	if (info->to_offset != UINT16_MAX)
 		printf(" TO %u", info->to_offset);
 	if (revision > 0 && info->u.v1.flags & XT_STRING_FLAG_IGNORECASE)
 		printf(" ICASE");
@@ -293,7 +293,7 @@ static void string_save(const void *ip, const struct xt_entry_match *match)
 	printf(" --algo %s", info->algo);
 	if (info->from_offset != 0)
 		printf(" --from %u", info->from_offset);
-	if (info->to_offset != 0)
+	if (info->to_offset != UINT16_MAX)
 		printf(" --to %u", info->to_offset);
 	if (revision > 0 && info->u.v1.flags & XT_STRING_FLAG_IGNORECASE)
 		printf(" --icase");
-- 
2.34.1

[iptables PATCH 8/9] extensions: string: Review parse_string() function

[Phil Sutter]

* Compare against sizeof(info->pattern) which is more clear than having
  to know that this buffer is of size XT_STRING_MAX_PATTERN_SIZE

* Invert the check and error early to reduce indenting

* Pass info->patlen to memcpy() to avoid reading past end of 's'

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/libxt_string.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index da05fad0f59c8..5d72a5cde008f 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -78,14 +78,13 @@ static void string_init(struct xt_entry_match *m)
 
 static void
 parse_string(const char *s, struct xt_string_info *info)
-{	
+{
 	/* xt_string does not need \0 at the end of the pattern */
-	if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) {
-		memcpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
-		info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE);
-		return;
-	}
-	xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
+	if (strlen(s) > sizeof(info->pattern))
+		xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
+
+	info->patlen = strnlen(s, sizeof(info->pattern));
+	memcpy(info->pattern, s, info->patlen);
 }
 
 static void
-- 
2.34.1

[iptables PATCH 9/9] extensions: string: Fix and enable tests

[Phil Sutter]

Some minor fixes were necessary:

* --algo is printed after the pattern
* Second long string test must fail, that string is 129 chars long
* --from 0 and --to 65535 are not printed (default values)

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/libxt_string.t | 21 +++++++--------------
 1 file changed, 7 insertions(+), 14 deletions(-)

diff --git a/extensions/libxt_string.t b/extensions/libxt_string.t
index d68f099d966c6..2f4b30cbc0461 100644
--- a/extensions/libxt_string.t
+++ b/extensions/libxt_string.t
@@ -1,18 +1,11 @@
 :INPUT,FORWARD,OUTPUT
-# ERROR: cannot find: iptables -I INPUT -m string --algo bm --string "test"
-# -m string --algo bm --string "test";=;OK
-# ERROR: cannot find: iptables -I INPUT -m string --algo kmp --string "test")
-# -m string --algo kmp --string "test";=;OK
-# ERROR: cannot find: iptables -I INPUT -m string --algo kmp ! --string "test"
-# -m string --algo kmp ! --string "test";=;OK
-# cannot find: iptables -I INPUT -m string --algo bm --string "xxxxxxxxxxx" ....]
-# -m string --algo bm --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";=;OK
-# ERROR: cannot load: iptables -A INPUT -m string --algo bm --string "xxxx"
-# -m string --algo bm --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";=;OK
-# ERROR: cannot load: iptables -A INPUT -m string --algo bm --hexstring "|0a0a0a0a|"
-# -m string --algo bm --hexstring "|0a0a0a0a|";=;OK
-# ERROR: cannot find: iptables -I INPUT -m string --algo bm --from 0 --to 65535 --string "test"
-# -m string --algo bm --from 0 --to 65535 --string "test";=;OK
+-m string --algo bm --string "test";-m string --string "test" --algo bm;OK
+-m string --string "test" --algo kmp;=;OK
+-m string ! --string "test" --algo kmp;=;OK
+-m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;=;OK
+-m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;;FAIL
+-m string --hex-string "|0a0a0a0a|" --algo bm;=;OK
+-m string --algo bm --from 0 --to 65535 --string "test";-m string --string "test" --algo bm;OK
 -m string --algo wrong;;FAIL
 -m string --algo bm;;FAIL
 -m string;;FAIL
-- 
2.34.1