Skip to content

GitLab

Commit 268c6aa1 authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

Merge tag 'debian/1.8.5-3' into debian/buster-backports 



Debian package 1.8.5-3
Signed-off-by: default avatarArturo Borrero Gonzalez <arturo@debian.org>
parents ada8a2c9 9fa0e185
Hide whitespace changes
Inline Side-by-side
iptables/tests/shell/testcases/ip6tables/0004-return-codes_0
View file @ 268c6aa1
...@@ -26,6 +26,7 @@ cmd 1 ip6tables -N foo ...@@ -26,6 +26,7 @@ cmd 1 ip6tables -N foo
# test rule adding # test rule adding
cmd 0 ip6tables -A INPUT -j ACCEPT cmd 0 ip6tables -A INPUT -j ACCEPT
cmd 1 ip6tables -A noexist -j ACCEPT cmd 1 ip6tables -A noexist -j ACCEPT
cmd 2 ip6tables -I INPUT -j foobar
# test rule checking # test rule checking
cmd 0 ip6tables -C INPUT -j ACCEPT cmd 0 ip6tables -C INPUT -j ACCEPT
......
iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0
View file @ 268c6aa1
...@@ -22,7 +22,7 @@ do_simple() ...@@ -22,7 +22,7 @@ do_simple()
table="${2}" table="${2}"
dumpfile="$(dirname "${0}")/dumps/${iptables}.dump" dumpfile="$(dirname "${0}")/dumps/${iptables}.dump"
"$XT_MULTI" "${iptables}-restore" --table="${table}" <"${dumpfile}"; rv=$? "$XT_MULTI" "${iptables}-restore" --table="${table}" "${dumpfile}"; rv=$?
if [ "${rv}" -ne 0 ]; then if [ "${rv}" -ne 0 ]; then
RET=1 RET=1
......
iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0
View file @ 268c6aa1
...@@ -14,7 +14,7 @@ ipt_show() { ...@@ -14,7 +14,7 @@ ipt_show() {
$XT_MULTI iptables-restore <<EOF $XT_MULTI iptables-restore <<EOF
*filter *filter
-A FORWARD -m comment --comment "appended rule" -j ACCEPT -A FORWARD -m comment --comment "rule 4" -j ACCEPT
-I FORWARD 1 -m comment --comment "rule 1" -j ACCEPT -I FORWARD 1 -m comment --comment "rule 1" -j ACCEPT
-I FORWARD 2 -m comment --comment "rule 2" -j ACCEPT -I FORWARD 2 -m comment --comment "rule 2" -j ACCEPT
-I FORWARD 3 -m comment --comment "rule 3" -j ACCEPT -I FORWARD 3 -m comment --comment "rule 3" -j ACCEPT
...@@ -24,7 +24,7 @@ EOF ...@@ -24,7 +24,7 @@ EOF
EXPECT='-A FORWARD -m comment --comment "rule 1" -j ACCEPT EXPECT='-A FORWARD -m comment --comment "rule 1" -j ACCEPT
-A FORWARD -m comment --comment "rule 2" -j ACCEPT -A FORWARD -m comment --comment "rule 2" -j ACCEPT
-A FORWARD -m comment --comment "rule 3" -j ACCEPT -A FORWARD -m comment --comment "rule 3" -j ACCEPT
-A FORWARD -m comment --comment "appended rule" -j ACCEPT' -A FORWARD -m comment --comment "rule 4" -j ACCEPT'
diff -u -Z <(echo -e "$EXPECT") <(ipt_show) diff -u -Z <(echo -e "$EXPECT") <(ipt_show)
...@@ -32,11 +32,14 @@ diff -u -Z <(echo -e "$EXPECT") <(ipt_show) ...@@ -32,11 +32,14 @@ diff -u -Z <(echo -e "$EXPECT") <(ipt_show)
$XT_MULTI iptables-restore --noflush <<EOF $XT_MULTI iptables-restore --noflush <<EOF
*filter *filter
-A FORWARD -m comment --comment "rule 5" -j ACCEPT
-I FORWARD 1 -m comment --comment "rule 0.5" -j ACCEPT -I FORWARD 1 -m comment --comment "rule 0.5" -j ACCEPT
-I FORWARD 3 -m comment --comment "rule 1.5" -j ACCEPT -I FORWARD 3 -m comment --comment "rule 1.5" -j ACCEPT
-I FORWARD 5 -m comment --comment "rule 2.5" -j ACCEPT -I FORWARD 5 -m comment --comment "rule 2.5" -j ACCEPT
-I FORWARD 7 -m comment --comment "rule 3.5" -j ACCEPT -I FORWARD 7 -m comment --comment "rule 3.5" -j ACCEPT
-I FORWARD 9 -m comment --comment "appended rule 2" -j ACCEPT -I FORWARD 9 -m comment --comment "rule 4.5" -j ACCEPT
-I FORWARD 11 -m comment --comment "rule 5.5" -j ACCEPT
-A FORWARD -m comment --comment "rule 6" -j ACCEPT
COMMIT COMMIT
EOF EOF
...@@ -47,8 +50,11 @@ EXPECT='-A FORWARD -m comment --comment "rule 0.5" -j ACCEPT ...@@ -47,8 +50,11 @@ EXPECT='-A FORWARD -m comment --comment "rule 0.5" -j ACCEPT
-A FORWARD -m comment --comment "rule 2.5" -j ACCEPT -A FORWARD -m comment --comment "rule 2.5" -j ACCEPT
-A FORWARD -m comment --comment "rule 3" -j ACCEPT -A FORWARD -m comment --comment "rule 3" -j ACCEPT
-A FORWARD -m comment --comment "rule 3.5" -j ACCEPT -A FORWARD -m comment --comment "rule 3.5" -j ACCEPT
-A FORWARD -m comment --comment "appended rule" -j ACCEPT -A FORWARD -m comment --comment "rule 4" -j ACCEPT
-A FORWARD -m comment --comment "appended rule 2" -j ACCEPT' -A FORWARD -m comment --comment "rule 4.5" -j ACCEPT
-A FORWARD -m comment --comment "rule 5" -j ACCEPT
-A FORWARD -m comment --comment "rule 5.5" -j ACCEPT
-A FORWARD -m comment --comment "rule 6" -j ACCEPT'
diff -u -Z <(echo -e "$EXPECT") <(ipt_show) diff -u -Z <(echo -e "$EXPECT") <(ipt_show)
...@@ -78,6 +84,8 @@ diff -u -Z <(echo -e "$EXPECT") <(ipt_show) ...@@ -78,6 +84,8 @@ diff -u -Z <(echo -e "$EXPECT") <(ipt_show)
$XT_MULTI iptables-restore --noflush <<EOF $XT_MULTI iptables-restore --noflush <<EOF
*filter *filter
-A FORWARD -m comment --comment "appended rule 4" -j ACCEPT
-D FORWARD 7
-D FORWARD -m comment --comment "appended rule 1" -j ACCEPT -D FORWARD -m comment --comment "appended rule 1" -j ACCEPT
-D FORWARD 3 -D FORWARD 3
-I FORWARD 3 -m comment --comment "manually replaced rule 2" -j ACCEPT -I FORWARD 3 -m comment --comment "manually replaced rule 2" -j ACCEPT
......
iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0
View file @ 268c6aa1
...@@ -24,7 +24,7 @@ clean_tempfile() ...@@ -24,7 +24,7 @@ clean_tempfile()
trap clean_tempfile EXIT trap clean_tempfile EXIT
ENTRY_NUM=$((RANDOM%100)) ENTRY_NUM=$((RANDOM%10))
UCHAIN_NUM=$((RANDOM%10)) UCHAIN_NUM=$((RANDOM%10))
get_target() get_target()
...@@ -45,8 +45,7 @@ get_target() ...@@ -45,8 +45,7 @@ get_target()
make_dummy_rules() make_dummy_rules()
{ {
echo "*${1:-filter}"
echo "*filter"
echo ":INPUT ACCEPT [0:0]" echo ":INPUT ACCEPT [0:0]"
echo ":FORWARD ACCEPT [0:0]" echo ":FORWARD ACCEPT [0:0]"
echo ":OUTPUT ACCEPT [0:0]" echo ":OUTPUT ACCEPT [0:0]"
...@@ -74,7 +73,7 @@ make_dummy_rules() ...@@ -74,7 +73,7 @@ make_dummy_rules()
tmpfile=$(mktemp) || exit 1 tmpfile=$(mktemp) || exit 1
dumpfile=$(mktemp) || exit 1 dumpfile=$(mktemp) || exit 1
make_dummy_rules > $dumpfile (make_dummy_rules; make_dummy_rules security) > $dumpfile
$XT_MULTI iptables-restore -w < $dumpfile $XT_MULTI iptables-restore -w < $dumpfile
LINES1=$(wc -l < $dumpfile) LINES1=$(wc -l < $dumpfile)
$XT_MULTI iptables-save | grep -v '^#' > $dumpfile $XT_MULTI iptables-save | grep -v '^#' > $dumpfile
...@@ -86,8 +85,8 @@ if [ $LINES1 -ne $LINES2 ]; then ...@@ -86,8 +85,8 @@ if [ $LINES1 -ne $LINES2 ]; then
fi fi
case "$XT_MULTI" in case "$XT_MULTI" in
*/xtables-nft-multi) *xtables-nft-multi)
attempts=$((RANDOM%200)) attempts=$((RANDOM%10))
attempts=$((attempts+1)) attempts=$((attempts+1))
;; ;;
*) *)
......
iptables/tests/shell/testcases/ipt-restore/0005-ipt-6_0 0 → 100755
View file @ 268c6aa1
#!/bin/bash
# Make sure iptables-restore simply ignores
# rules starting with -6
set -e
# show rules, drop uninteresting policy settings
ipt_show() {
$XT_MULTI iptables -S | grep -v '^-P'
}
# issue reproducer for iptables-restore
$XT_MULTI iptables-restore <<EOF
*filter
-A FORWARD -m comment --comment any -j ACCEPT
-4 -A FORWARD -m comment --comment ipv4 -j ACCEPT
-6 -A FORWARD -m comment --comment ipv6 -j ACCEPT
COMMIT
EOF
EXPECT='-A FORWARD -m comment --comment any -j ACCEPT
-A FORWARD -m comment --comment ipv4 -j ACCEPT'
diff -u -Z <(echo -e "$EXPECT") <(ipt_show)
iptables/tests/shell/testcases/ipt-restore/0006-ip6t-4_0 0 → 100755
View file @ 268c6aa1
#!/bin/bash
# Make sure ip6tables-restore simply ignores
# rules starting with -4
set -e
# show rules, drop uninteresting policy settings
ipt_show() {
$XT_MULTI ip6tables -S | grep -v '^-P'
}
# issue reproducer for ip6tables-restore
$XT_MULTI ip6tables-restore <<EOF
*filter
-A FORWARD -m comment --comment any -j ACCEPT
-4 -A FORWARD -m comment --comment ipv4 -j ACCEPT
-6 -A FORWARD -m comment --comment ipv6 -j ACCEPT
COMMIT
EOF
EXPECT='-A FORWARD -m comment --comment any -j ACCEPT
-A FORWARD -m comment --comment ipv6 -j ACCEPT'
diff -u -Z <(echo -e "$EXPECT") <(ipt_show)
iptables/tests/shell/testcases/ipt-restore/0007-flush-noflush_0 0 → 100755
View file @ 268c6aa1
#!/bin/bash
# Make sure iptables-restore without --noflush does not flush tables other than
# those contained in the dump it's reading from
set -e
$XT_MULTI iptables-restore <<EOF
*nat
-A POSTROUTING -j ACCEPT
COMMIT
EOF
EXPECT="*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j ACCEPT
COMMIT"
diff -u -Z <(echo -e "$EXPECT" | sort) <($XT_MULTI iptables-save | grep -v '^#' | sort)
$XT_MULTI iptables-restore <<EOF
*filter
-A FORWARD -j ACCEPT
COMMIT
EOF
EXPECT="*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j ACCEPT
COMMIT"
diff -u -Z <(echo -e "$EXPECT" | sort) <($XT_MULTI iptables-save | grep -v '^#' | sort)
iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0 0 → 100755
View file @ 268c6aa1
#!/bin/bash
set -e
DUMP="*filter
:foo - [23:42]
[13:37] -A foo -j ACCEPT
COMMIT
"
EXPECT=":foo - [0:0]
[0:0] -A foo -j ACCEPT"
$XT_MULTI iptables-restore <<< "$DUMP"
diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save --counters | grep foo)
# iptables-*-restore ignores custom chain counters :(
EXPECT=":foo - [0:0]
[13:37] -A foo -j ACCEPT"
$XT_MULTI iptables-restore --counters <<< "$DUMP"
diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save --counters | grep foo)
iptables/tests/shell/testcases/ipt-restore/0009-table-name-comment_0 0 → 100755
View file @ 268c6aa1
#!/bin/bash
# when restoring a ruleset, *tables-restore prefixes each rule with
# '-t <tablename>' so standard rule parsing routines may be used. This means
# that it has to detect and reject rules which already contain a table option.
families="ip ip6"
[[ $(basename $XT_MULTI) == xtables-nft-multi ]] && families+=" eb"
for fam in $families; do
$XT_MULTI ${fam}tables-restore <<EOF
*filter
-t nat -A FORWARD -j ACCEPT
COMMIT
EOF
[[ $? != 0 ]] || {
echo "${fam}tables-restore did not fail when it should have"
exit 1
}
$XT_MULTI ${fam}tables-restore <<EOF
*filter
-A FORWARD -j ACCEPT
COMMIT
EOF
[[ $? == 0 ]] || {
echo "${fam}tables-restore failed when it should not have"
exit 1
}
done
iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0 0 → 100755
View file @ 268c6aa1
#!/bin/sh -e
# assert input feed from buffer doesn't trip over
# added nul-chars from parsing chain line.
$XT_MULTI iptables-restore --noflush <<EOF
*filter
:foobar - [0:0]
-A foobar -j ACCEPT
COMMIT
EOF
iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 0 → 100755
View file @ 268c6aa1
#!/bin/bash -e
# make sure empty lines won't break --noflush
cat <<EOF | $XT_MULTI iptables-restore --noflush
# just a comment followed by innocent empty line
*filter
-A FORWARD -j ACCEPT
COMMIT
EOF
EXPECT='Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 '
diff -u <(echo "$EXPECT") <($XT_MULTI iptables -n -L FORWARD)
iptables/tests/shell/testcases/ipt-restore/0012-dash-F_0 0 → 100755
View file @ 268c6aa1
#!/bin/bash -e
# make sure -F lines don't cause segfaults
RULESET='*nat
-F PREROUTING
-A PREROUTING -j ACCEPT
-F PREROUTING
COMMIT'
echo -e "$RULESET" | $XT_MULTI iptables-restore
echo -e "$RULESET" | $XT_MULTI iptables-restore -n
iptables/tests/shell/testcases/ipt-restore/0013-test-mode_0 0 → 100755
View file @ 268c6aa1
#!/bin/bash
set -e
# segfault with --test reported in nfbz#1391
printf '%s\nCOMMIT\n' '*nat' '*raw' '*filter' | $XT_MULTI iptables-restore --test
iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 0 → 100755
View file @ 268c6aa1
#!/bin/bash
case "$(basename $XT_MULTI)" in
xtables-legacy-multi)
;;
*)
echo "skip $XT_MULTI"
exit 0
;;
esac
dump=$(dirname $0)/dumps/fedora27-iptables
diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml <$dump)
iptables/tests/shell/testcases/ipt-save/dumps/fedora27-iptables.xml 0 → 100644
View file @ 268c6aa1
<iptables-rules version="1.0">
<!-- # Completed on Sat Feb 17 10:50:33 2018 -->
<!-- # Generated by iptables*-save v1.6.1 on Sat Feb 17 10:50:33 2018 -->
<table name="mangle" >
<chain name="PREROUTING" policy="ACCEPT" packet-count="0" byte-count="0" >
<rule packet-count="1" byte-count="2" >
<actions>
<call >
<PREROUTING_direct />
</call>
</actions>
</rule>
<rule packet-count="3" byte-count="4" >
<actions>
<call >
<PREROUTING_ZONES_SOURCE />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<PREROUTING_ZONES />
</call>
</actions>
</rule>
</chain>
<chain name="INPUT" policy="ACCEPT" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<INPUT_direct />
</call>
</actions>
</rule>
</chain>
<chain name="FORWARD" policy="ACCEPT" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<FORWARD_direct />
</call>
</actions>
</rule>
</chain>
<chain name="OUTPUT" policy="ACCEPT" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<OUTPUT_direct />
</call>
</actions>
</rule>
</chain>
<chain name="POSTROUTING" policy="ACCEPT" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<o >virbr0</o>
<p >udp</p>
</match>
<udp >
<dport >68</dport>
</udp>
</conditions>
<actions>
<CHECKSUM >
<checksum-fill />
</CHECKSUM>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<POSTROUTING_direct />
</call>
</actions>
</rule>
</chain>
<chain name="PREROUTING_ZONES" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<i >wlp58s0</i>
</match>
</conditions>
<actions>
<goto >
<PRE_FedoraWorkstation />
</goto>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<goto >
<PRE_FedoraWorkstation />
</goto>
</actions>
</rule>
</chain>
<chain name="PRE_FedoraWorkstation" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<PRE_FedoraWorkstation_log />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<PRE_FedoraWorkstation_deny />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<PRE_FedoraWorkstation_allow />
</call>
</actions>
</rule>
</chain>
<chain name="FORWARD_direct" packet-count="0" byte-count="0" />
<chain name="INPUT_direct" packet-count="0" byte-count="0" />
<chain name="OUTPUT_direct" packet-count="0" byte-count="0" />
<chain name="POSTROUTING_direct" packet-count="0" byte-count="0" />
<chain name="PREROUTING_ZONES_SOURCE" packet-count="0" byte-count="0" />
<chain name="PREROUTING_direct" packet-count="0" byte-count="0" />
<chain name="PRE_FedoraWorkstation_allow" packet-count="0" byte-count="0" />
<chain name="PRE_FedoraWorkstation_deny" packet-count="0" byte-count="0" />
<chain name="PRE_FedoraWorkstation_log" packet-count="0" byte-count="0" />
</table>
<!-- # Completed on Sat Feb 17 10:50:33 2018 -->
<!-- # Generated by iptables*-save v1.6.1 on Sat Feb 17 10:50:33 2018 -->
<table name="raw" >
<chain name="PREROUTING" policy="ACCEPT" packet-count="1681" byte-count="2620433" >
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<PREROUTING_direct />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<PREROUTING_ZONES_SOURCE />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<PREROUTING_ZONES />
</call>
</actions>
</rule>
</chain>
<chain name="OUTPUT" policy="ACCEPT" packet-count="1619" byte-count="171281" >
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<OUTPUT_direct />
</call>
</actions>
</rule>
</chain>
<chain name="PREROUTING_ZONES" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<i >wlp58s0</i>
</match>
</conditions>
<actions>
<goto >
<PRE_FedoraWorkstation />
</goto>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<goto >
<PRE_FedoraWorkstation />
</goto>
</actions>
</rule>
</chain>
<chain name="PRE_FedoraWorkstation" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<PRE_FedoraWorkstation_log />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<PRE_FedoraWorkstation_deny />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<PRE_FedoraWorkstation_allow />
</call>
</actions>
</rule>
</chain>
<chain name="PRE_FedoraWorkstation_allow" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<p >udp</p>
</match>
<udp >
<dport >137</dport>
</udp>
</conditions>
<actions>
<CT >
<helper >netbios-ns</helper>
</CT>
</actions>
</rule>
</chain>
<chain name="OUTPUT_direct" packet-count="0" byte-count="0" />
<chain name="PREROUTING_ZONES_SOURCE" packet-count="0" byte-count="0" />
<chain name="PREROUTING_direct" packet-count="0" byte-count="0" />
<chain name="PRE_FedoraWorkstation_deny" packet-count="0" byte-count="0" />
<chain name="PRE_FedoraWorkstation_log" packet-count="0" byte-count="0" />
</table>
<!-- # Completed on Sat Feb 17 10:50:33 2018 -->
<!-- # Generated by iptables*-save v1.6.1 on Sat Feb 17 10:50:33 2018 -->
<table name="filter" >
<chain name="INPUT" policy="ACCEPT" packet-count="0" byte-count="0" >
<rule packet-count="5" byte-count="6" >
<conditions>
<match >
<i >virbr0</i>
<p >udp</p>
</match>
<udp >
<dport >53</dport>
</udp>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="0" byte-count="123456789" >
<conditions>
<match >
<i >virbr0</i>
<p >tcp</p>
</match>
<tcp >
<dport >53</dport>
</tcp>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<i >virbr0</i>
<p >udp</p>
</match>
<udp >
<dport >67</dport>
</udp>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<i >virbr0</i>
<p >tcp</p>
</match>
<tcp >
<dport >67</dport>
</tcp>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<conntrack >
<ctstate >RELATED,ESTABLISHED</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<i >lo</i>
</match>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<INPUT_direct />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<INPUT_ZONES_SOURCE />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<INPUT_ZONES />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<conntrack >
<ctstate >INVALID</ctstate>
</conntrack>
</conditions>
<actions>
<DROP />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<REJECT >
<reject-with >icmp-host-prohibited</reject-with>
</REJECT>
</actions>
</rule>
</chain>
<chain name="FORWARD" policy="ACCEPT" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<d >192.168.122.0/24</d>
<o >virbr0</o>
</match>
<conntrack >
<ctstate >RELATED,ESTABLISHED</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<s >192.168.122.0/24</s>
<i >virbr0</i>
</match>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<i >virbr0</i>
<o >virbr0</o>
</match>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<o >virbr0</o>
</match>
</conditions>
<actions>
<REJECT >
<reject-with >icmp-port-unreachable</reject-with>
</REJECT>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<i >virbr0</i>
</match>
</conditions>
<actions>
<REJECT >
<reject-with >icmp-port-unreachable</reject-with>
</REJECT>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<conntrack >
<ctstate >RELATED,ESTABLISHED</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<i >lo</i>
</match>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<FORWARD_direct />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<FORWARD_IN_ZONES_SOURCE />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<FORWARD_IN_ZONES />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<FORWARD_OUT_ZONES_SOURCE />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<FORWARD_OUT_ZONES />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<conntrack >
<ctstate >INVALID</ctstate>
</conntrack>
</conditions>
<actions>
<DROP />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<REJECT >
<reject-with >icmp-host-prohibited</reject-with>
</REJECT>
</actions>
</rule>
</chain>
<chain name="OUTPUT" policy="ACCEPT" packet-count="1619" byte-count="171281" >
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<o >virbr0</o>
<p >udp</p>
</match>
<udp >
<dport >68</dport>
</udp>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<OUTPUT_direct />
</call>
</actions>
</rule>
</chain>
<chain name="FORWARD_IN_ZONES" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<i >wlp58s0</i>
</match>
</conditions>
<actions>
<goto >
<FWDI_FedoraWorkstation />
</goto>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<goto >
<FWDI_FedoraWorkstation />
</goto>
</actions>
</rule>
</chain>
<chain name="FORWARD_OUT_ZONES" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<o >wlp58s0</o>
</match>
</conditions>
<actions>
<goto >
<FWDO_FedoraWorkstation />
</goto>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<goto >
<FWDO_FedoraWorkstation />
</goto>
</actions>
</rule>
</chain>
<chain name="FWDI_FedoraWorkstation" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<FWDI_FedoraWorkstation_log />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<FWDI_FedoraWorkstation_deny />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<FWDI_FedoraWorkstation_allow />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<p >icmp</p>
</match>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
</chain>
<chain name="FWDO_FedoraWorkstation" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<FWDO_FedoraWorkstation_log />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<FWDO_FedoraWorkstation_deny />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<FWDO_FedoraWorkstation_allow />
</call>
</actions>
</rule>
</chain>
<chain name="INPUT_ZONES" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<i >wlp58s0</i>
</match>
</conditions>
<actions>
<goto >
<IN_FedoraWorkstation />
</goto>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<goto >
<IN_FedoraWorkstation />
</goto>
</actions>
</rule>
</chain>
<chain name="IN_FedoraWorkstation" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<IN_FedoraWorkstation_log />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<IN_FedoraWorkstation_deny />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<actions>
<call >
<IN_FedoraWorkstation_allow />
</call>
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<p >icmp</p>
</match>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
</chain>
<chain name="IN_FedoraWorkstation_allow" packet-count="0" byte-count="0" >
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<p >udp</p>
</match>
<udp >
<dport >137</dport>
</udp>
<conntrack >
<ctstate >NEW</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<p >udp</p>
</match>
<udp >
<dport >138</dport>
</udp>
<conntrack >
<ctstate >NEW</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<p >tcp</p>
</match>
<tcp >
<dport >22</dport>
</tcp>
<conntrack >
<ctstate >NEW</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<d >224.0.0.251/32</d>
<p >udp</p>
</match>
<udp >
<dport >5353</dport>
</udp>
<conntrack >
<ctstate >NEW</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="0" byte-count="0" >
<conditions>
<match >
<p >udp</p>
</match>
<udp >
<dport >1025:65535</dport>
</udp>
<conntrack >
<ctstate >NEW</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
<rule packet-count="7" byte-count="8" >
<conditions>
<match >
<p >tcp</p>
</match>
<tcp >
<dport >1025:65535</dport>
</tcp>
<conntrack >
<ctstate >NEW</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT />
</actions>
</rule>
</chain>
<chain name="FORWARD_IN_ZONES_SOURCE" packet-count="0" byte-count="0" />
<chain name="FORWARD_OUT_ZONES_SOURCE" packet-count="0" byte-count="0" />
<chain name="FORWARD_direct" packet-count="0" byte-count="0" />
<chain name="FWDI_FedoraWorkstation_allow" packet-count="0" byte-count="0" />
<chain name="FWDI_FedoraWorkstation_deny" packet-count="0" byte-count="0" />
<chain name="FWDI_FedoraWorkstation_log" packet-count="0" byte-count="0" />
<chain name="FWDO_FedoraWorkstation_allow" packet-count="0" byte-count="0" />
<chain name="FWDO_FedoraWorkstation_deny" packet-count="0" byte-count="0" />
<chain name="FWDO_FedoraWorkstation_log" packet-count="0" byte-count="0" />
<chain name="INPUT_ZONES_SOURCE" packet-count="0" byte-count="0" />
<chain name="INPUT_direct" packet-count="0" byte-count="0" />
<chain name="IN_FedoraWorkstation_deny" packet-count="0" byte-count="0" />
<chain name="IN_FedoraWorkstation_log" packet-count="0" byte-count="0" />
<chain name="OUTPUT_direct" packet-count="0" byte-count="0" />
</table>
<!-- # Completed on Sat Feb 17 10:50:33 2018 -->
</iptables-rules>
iptables/tests/shell/testcases/iptables/0004-return-codes_0
View file @ 268c6aa1
...@@ -54,10 +54,16 @@ cmd 1 "$ENOENT" iptables -Z bar ...@@ -54,10 +54,16 @@ cmd 1 "$ENOENT" iptables -Z bar
# test chain rename # test chain rename
cmd 0 iptables -E foo bar cmd 0 iptables -E foo bar
cmd 1 "$EEXIST_F" iptables -E foo bar cmd 1 "$EEXIST_F" iptables -E foo bar
cmd 1 "$ENOENT" iptables -E foo bar2
cmd 0 iptables -N foo2
cmd 1 "$EEXIST_F" iptables -E foo2 bar
# test rule adding # test rule adding
cmd 0 iptables -A INPUT -j ACCEPT cmd 0 iptables -A INPUT -j ACCEPT
cmd 1 "$ENOENT" iptables -A noexist -j ACCEPT cmd 1 "$ENOENT" iptables -A noexist -j ACCEPT
cmd 2 "" iptables -I INPUT -j foobar
cmd 2 "" iptables -R INPUT 1 -j foobar
cmd 2 "" iptables -D INPUT -j foobar
# test rulenum commands # test rulenum commands
cmd 1 "$E2BIG_I" iptables -I INPUT 23 -j ACCEPT cmd 1 "$E2BIG_I" iptables -I INPUT 23 -j ACCEPT
......
iptables/tests/shell/testcases/iptables/0006-46-args_0 0 → 100755
View file @ 268c6aa1
#!/bin/bash
RC=0
$XT_MULTI iptables -6 -A FORWARD -j ACCEPT
rc=$?
if [[ $rc -ne 2 ]]; then
echo "'iptables -6' returned $rc instead of 2"
RC=1
fi
$XT_MULTI ip6tables -4 -A FORWARD -j ACCEPT
rc=$?
if [[ $rc -ne 2 ]]; then
echo "'ip6tables -4' returned $rc instead of 2"
RC=1
fi
RULESET='*filter
-4 -A FORWARD -d 10.0.0.1 -j ACCEPT
-6 -A FORWARD -d fec0:10::1 -j ACCEPT
COMMIT
'
EXPECT4='-P FORWARD ACCEPT
-A FORWARD -d 10.0.0.1/32 -j ACCEPT'
EXPECT6='-P FORWARD ACCEPT
-A FORWARD -d fec0:10::1/128 -j ACCEPT'
EXPECT_EMPTY='-P FORWARD ACCEPT'
echo "$RULESET" | $XT_MULTI iptables-restore || {
echo "iptables-restore failed!"
RC=1
}
diff -u -Z <(echo -e "$EXPECT4") <($XT_MULTI iptables -S FORWARD) || {
echo "unexpected iptables ruleset"
RC=1
}
diff -u -Z <(echo -e "$EXPECT_EMPTY") <($XT_MULTI ip6tables -S FORWARD) || {
echo "unexpected non-empty ip6tables ruleset"
RC=1
}
$XT_MULTI iptables -F FORWARD
echo "$RULESET" | $XT_MULTI ip6tables-restore || {
echo "ip6tables-restore failed!"
RC=1
}
diff -u -Z <(echo -e "$EXPECT6") <($XT_MULTI ip6tables -S FORWARD) || {
echo "unexpected ip6tables ruleset"
RC=1
}
diff -u -Z <(echo -e "$EXPECT_EMPTY") <($XT_MULTI iptables -S FORWARD) || {
echo "unexpected non-empty iptables ruleset"
RC=1
}
$XT_MULTI ip6tables -F FORWARD
$XT_MULTI iptables -4 -A FORWARD -d 10.0.0.1 -j ACCEPT || {
echo "iptables failed!"
RC=1
}
diff -u -Z <(echo -e "$EXPECT4") <($XT_MULTI iptables -S FORWARD) || {
echo "unexpected iptables ruleset"
RC=1
}
diff -u -Z <(echo -e "$EXPECT_EMPTY") <($XT_MULTI ip6tables -S FORWARD) || {
echo "unexpected non-empty ip6tables ruleset"
RC=1
}
$XT_MULTI iptables -F FORWARD
$XT_MULTI ip6tables -6 -A FORWARD -d fec0:10::1 -j ACCEPT || {
echo "ip6tables failed!"
RC=1
}
diff -u -Z <(echo -e "$EXPECT6") <($XT_MULTI ip6tables -S FORWARD) || {
echo "unexpected ip6tables ruleset"
RC=1
}
diff -u -Z <(echo -e "$EXPECT_EMPTY") <($XT_MULTI iptables -S FORWARD) || {
echo "unexpected non-empty iptables ruleset"
RC=1
}
exit $RC
iptables/tests/shell/testcases/nft-only/0001compat_0
View file @ 268c6aa1
...@@ -5,17 +5,18 @@ ...@@ -5,17 +5,18 @@
# xtables: avoid bogus 'is incompatible' warning # xtables: avoid bogus 'is incompatible' warning
case "$XT_MULTI" in case "$XT_MULTI" in
*/xtables-nft-multi) *xtables-nft-multi)
nft -v >/dev/null || exit 0
nft 'add table ip nft-test; add chain ip nft-test foobar { type filter hook forward priority 42; }' || exit 1
nft 'add table ip6 nft-test; add chain ip6 nft-test foobar { type filter hook forward priority 42; }' || exit 1
$XT_MULTI iptables -L -t filter || exit 1
$XT_MULTI ip6tables -L -t filter || exit 1
;; ;;
*) *)
echo skip $XT_MULTI echo skip $XT_MULTI
exit 0
;; ;;
esac esac
nft -v >/dev/null || exit 0
nft 'add table ip nft-test; add chain ip nft-test foobar { type filter hook forward priority 42; }' || exit 1
nft 'add table ip6 nft-test; add chain ip6 nft-test foobar { type filter hook forward priority 42; }' || exit 1
$XT_MULTI iptables -L -t filter || exit 1
$XT_MULTI ip6tables -L -t filter || exit 1
exit 0 exit 0
iptables/tests/shell/testcases/nft-only/0002invflags_0
View file @ 268c6aa1
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
set -e set -e
[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } [[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
$XT_MULTI iptables -A INPUT -p tcp --dport 53 ! -s 192.168.0.1 -j ACCEPT $XT_MULTI iptables -A INPUT -p tcp --dport 53 ! -s 192.168.0.1 -j ACCEPT
$XT_MULTI ip6tables -A INPUT -p tcp --dport 53 ! -s feed:babe::1 -j ACCEPT $XT_MULTI ip6tables -A INPUT -p tcp --dport 53 ! -s feed:babe::1 -j ACCEPT
......
iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0
View file @ 268c6aa1
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
set -e set -e
[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } [[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
comment1="foo bar" comment1="foo bar"
comment2="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" comment2="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment