From: Phil Sutter <phil@nwl.cc>
To: netfilter-devel@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>
Subject: [iptables PATCH 2/7] tests: xlate: Use --check to verify replay
Date: Thu, 1 Dec 2022 17:39:11 +0100 [thread overview]
Message-ID: <20221201163916.30808-3-phil@nwl.cc> (raw)
In-Reply-To: <20221201163916.30808-1-phil@nwl.cc>
After applying the translated rule using nft, pass the untranslated rule
to --check instead of dumping the ruleset and performing a string
search. This fixes for mandatory match reordering (e.g. addresses before
interfaces) and minor differences like /32 netmasks or even just
whitespace changes.
Fixes: 223e34b057b95 ("tests: xlate-test: Replay results for reverse direction testing")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
xlate-test.py | 46 ++++++++++++++++++----------------------------
1 file changed, 18 insertions(+), 28 deletions(-)
diff --git a/xlate-test.py b/xlate-test.py
index 6513b314beb35..4f037ef6ed96d 100755
--- a/xlate-test.py
+++ b/xlate-test.py
@@ -67,6 +67,7 @@ xtables_nft_multi = 'xtables-nft-multi'
srcwords = sourceline.split()
srccmd = srcwords[0]
+ ipt = srccmd.split('-')[0]
table_idx = -1
chain_idx = -1
table_name = "filter"
@@ -84,16 +85,12 @@ xtables_nft_multi = 'xtables-nft-multi'
if searchline is None:
# adjust sourceline as required
- srcwords[chain_idx] = "-A"
- if table_idx >= 0:
- srcwords.pop(table_idx)
- srcwords.pop(table_idx)
- searchline = " ".join(srcwords[1:])
- elif not searchline.startswith("-A"):
- tmp = ["-A", chain_name]
- if len(searchline) > 0:
- tmp.extend(searchline)
- searchline = " ".join(tmp)
+ checkcmd = srcwords[:]
+ checkcmd[0] = ipt
+ checkcmd[chain_idx] = "--check"
+ else:
+ checkcmd = [ipt, "-t", table_name]
+ checkcmd += ["--check", chain_name, searchline]
fam = ""
if srccmd.startswith("ip6"):
@@ -110,30 +107,23 @@ xtables_nft_multi = 'xtables-nft-multi'
rc, output, error = run_proc([args.nft, "-f", "-"], shell = False, input = "\n".join(nft_input))
if rc != 0:
- result.append(name + ": " + red("Fail"))
+ result.append(name + ": " + red("Replay Fail"))
result.append(args.nft + " call failed: " + error.rstrip('\n'))
for line in nft_input:
result.append(magenta("input: ") + line)
return False
- ipt = srccmd.split('-')[0]
- rc, output, error = run_proc([xtables_nft_multi, ipt + "-save"])
+ rc, output, error = run_proc([xtables_nft_multi] + checkcmd)
if rc != 0:
- result.append(name + ": " + red("Fail"))
- result.append(ipt + "-save call failed: " + error)
- return False
-
- if output.find(searchline) < 0:
- outline = None
- for l in output.split('\n'):
- if l.startswith('-A '):
- output = l
- break
- result.append(name + ": " + red("Replay fail"))
- result.append(magenta("src: '") + str(expected) + "'")
- result.append(magenta("exp: '") + searchline + "'")
- for l in output.split('\n'):
- result.append(magenta("res: ") + l)
+ result.append(name + ": " + red("Check Fail"))
+ result.append(magenta("check: ") + " ".join(checkcmd))
+ result.append(magenta("error: ") + error)
+ rc, output, error = run_proc([xtables_nft_multi, ipt + "-save"])
+ for l in output.split("\n"):
+ result.append(magenta("ipt: ") + l)
+ rc, output, error = run_proc([args.nft, "list", "ruleset"])
+ for l in output.split("\n"):
+ result.append(magenta("nft: ") + l)
return False
return True
--
2.38.0
next prev parent reply other threads:[~2022-12-01 16:40 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-01 16:39 [iptables PATCH 0/7] tests: xlate: generic.txlate to pass replay test Phil Sutter
2022-12-01 16:39 ` [iptables PATCH 1/7] ebtables: Implement --check command Phil Sutter
2022-12-08 21:40 ` Pablo Neira Ayuso
2022-12-09 0:41 ` Phil Sutter
2022-12-09 15:23 ` Pablo Neira Ayuso
2022-12-09 16:51 ` Phil Sutter
2022-12-09 20:09 ` Pablo Neira Ayuso
2022-12-01 16:39 ` Phil Sutter [this message]
2022-12-01 16:39 ` [iptables PATCH 3/7] nft: Fix for comparing ifname matches against nft-generated ones Phil Sutter
2022-12-01 16:39 ` [iptables PATCH 4/7] nft: Fix match generator for '! -i +' Phil Sutter
2022-12-08 12:23 ` Pablo Neira Ayuso
2022-12-08 13:19 ` Phil Sutter
2022-12-08 20:31 ` Pablo Neira Ayuso
2022-12-09 0:25 ` Phil Sutter
2022-12-01 16:39 ` [iptables PATCH 5/7] nft: Recognize INVAL/D interface name Phil Sutter
2022-12-01 16:39 ` [iptables PATCH 6/7] xtables-translate: Fix for interfaces with asterisk mid-string Phil Sutter
2022-12-01 16:39 ` [iptables PATCH 7/7] ebtables: Fix MAC address match translation Phil Sutter
2022-12-02 0:46 ` [iptables PATCH 0/7] tests: xlate: generic.txlate to pass replay test Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221201163916.30808-3-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).