netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Phil Sutter <phil@nwl.cc>
To: netfilter-devel@vger.kernel.org
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [iptables PATCH 1/7] tests: iptables-test: Increase non-fast mode strictness
Date: Thu,  1 Feb 2024 14:50:51 +0100	[thread overview]
Message-ID: <20240201135057.24828-2-phil@nwl.cc> (raw)
In-Reply-To: <20240201135057.24828-1-phil@nwl.cc>

The simple search for the rule in save output accepted arbitrary leading
and trailing rule parts. This was partly desired as it allowed to omit
the leading '-A' flag or ignore the mandatory '-j CONTINUE' in ebtables
rules, though it could hide bugs.

Introduction of fast mode mitigated this due to the way how it searches
for multiple rules at the same time, but there are cases which fast mode
does not support yet (e.g. test cases containing variant-specific rule
output).

Given save output format will never contain the rule in first or last
line, so enclosing the searched rule in newline characters is sufficient
to make the search apply to full lines only. The only drawback is having
to add '-A' and '-j CONTINUE' parts if needed.

The hidden bugs this revealed were:
- Long --nflog-prefix strings are not cut to 64 chars with iptables-nft
- The TCPMSS rule supposed to fail with legacy only must specify an
  expected save output

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/libxt_NFLOG.t  | 2 +-
 extensions/libxt_TCPMSS.t | 2 +-
 iptables-test.py          | 6 +++++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/extensions/libxt_NFLOG.t b/extensions/libxt_NFLOG.t
index 25f332ae16b6b..0cd81c643b2d5 100644
--- a/extensions/libxt_NFLOG.t
+++ b/extensions/libxt_NFLOG.t
@@ -15,7 +15,7 @@
 -j NFLOG --nflog-size 4294967296;;FAIL
 -j NFLOG --nflog-size -1;;FAIL
 -j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;=;OK
--j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;-j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;OK
+-j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;-j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;OK;LEGACY;=
 -j NFLOG --nflog-threshold 1;=;OK
 # ERROR: line 13 (should fail: iptables -A INPUT -j NFLOG --nflog-threshold 0
 # -j NFLOG --nflog-threshold 0;;FAIL
diff --git a/extensions/libxt_TCPMSS.t b/extensions/libxt_TCPMSS.t
index fbfbfcf88d81a..b3639cc17a935 100644
--- a/extensions/libxt_TCPMSS.t
+++ b/extensions/libxt_TCPMSS.t
@@ -1,6 +1,6 @@
 :FORWARD,OUTPUT,POSTROUTING
 *mangle
 -j TCPMSS;;FAIL
--p tcp -j TCPMSS --set-mss 42;;FAIL;LEGACY
+-p tcp -j TCPMSS --set-mss 42;=;FAIL;LEGACY
 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 42;=;OK
 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --clamp-mss-to-pmtu;=;OK
diff --git a/iptables-test.py b/iptables-test.py
index 179e366e02961..cefe42335d25d 100755
--- a/iptables-test.py
+++ b/iptables-test.py
@@ -143,7 +143,8 @@ STDERR_IS_TTY = sys.stderr.isatty()
         return -1
 
     # find the rule
-    matching = out.find(rule_save.encode('utf-8'))
+    matching = out.find("\n-A {}\n".format(rule_save).encode('utf-8'))
+
     if matching < 0:
         if res == "OK":
             reason = "cannot find: " + iptables + " -I " + rule
@@ -470,6 +471,9 @@ STDERR_IS_TTY = sys.stderr.isatty()
             else:
                 rule_save = chain + " " + item[1]
 
+            if iptables == EBTABLES and rule_save.find('-j') < 0:
+                rule_save += " -j CONTINUE"
+
             res = item[2].rstrip()
             if len(item) > 3:
                 variant = item[3].rstrip()
-- 
2.43.0


  reply	other threads:[~2024-02-01 13:51 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-01 13:50 [iptables PATCH 0/7] A number of ASAN-identified fixes Phil Sutter
2024-02-01 13:50 ` Phil Sutter [this message]
2024-02-01 13:50 ` [iptables PATCH 2/7] nft: ruleparse: Add missing braces around ternary Phil Sutter
2024-02-01 13:50 ` [iptables PATCH 3/7] libxtables: Fix memleak of matches' udata Phil Sutter
2024-02-01 13:50 ` [iptables PATCH 4/7] xtables-eb: Eliminate 'opts' define Phil Sutter
2024-02-01 13:50 ` [iptables PATCH 5/7] xshared: Fix for memleak in option merging with ebtables Phil Sutter
2024-02-01 13:50 ` [iptables PATCH 6/7] xshared: Introduce xtables_clear_args() Phil Sutter
2024-02-01 13:50 ` [iptables PATCH 7/7] ebtables: Fix for memleak with change counters command Phil Sutter
2024-02-06 23:15 ` [iptables PATCH 0/7] A number of ASAN-identified fixes Phil Sutter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240201135057.24828-2-phil@nwl.cc \
    --to=phil@nwl.cc \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).