Skip to content

GitLab

Commit dd6b25de authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

Merge tag 'upstream/1.6.0+snapshot20161117' 

Upstream version 1.6.0+snapshot20161117
parents 8fceaf37 7b095084
Show whitespace changes
Inline Side-by-side
extensions/libxt_socket.t 0 → 100644
View file @ dd6b25de
:PREROUTING,INPUT
*mangle
-m socket;=;OK
-m socket --transparent --nowildcard;=;OK
-m socket --transparent --nowildcard --restore-skmark;=;OK
-m socket --transparent --restore-skmark;=;OK
-m socket --nowildcard --restore-skmark;=;OK
-m socket --restore-skmark;=;OK
extensions/libxt_standard.t 0 → 100644
View file @ dd6b25de
:INPUT,FORWARD,OUTPUT
-j DROP;=;OK
-j ACCEPT;=;OK
-j RETURN;=;OK
extensions/libxt_state.t 0 → 100644
View file @ dd6b25de
:INPUT,FORWARD,OUTPUT
-m state --state INVALID;=;OK
-m state --state NEW,RELATED;=;OK
-m state --state UNTRACKED;=;OK
-m state wrong;;FAIL
-m state;;FAIL
extensions/libxt_statistic.c
View file @ dd6b25de
......@@ -133,6 +133,26 @@ static void statistic_save(const void *ip, const struct xt_entry_match *match)
print_match(info, "--");
}
static int statistic_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct xt_statistic_info *info =
(struct xt_statistic_info *)params->match->data;
switch (info->mode) {
case XT_STATISTIC_MODE_RANDOM:
return 0;
case XT_STATISTIC_MODE_NTH:
xt_xlate_add(xl, "numgen inc mod %u %s%u",
info->u.nth.every + 1,
info->flags & XT_STATISTIC_INVERT ? "!= " : "",
info->u.nth.packet);
break;
}
return 1;
}
static struct xtables_match statistic_match = {
.family = NFPROTO_UNSPEC,
.name = "statistic",
......@@ -145,6 +165,7 @@ static struct xtables_match statistic_match = {
.print = statistic_print,
.save = statistic_save,
.x6_options = statistic_opts,
.xlate = statistic_xlate,
};
void _init(void)
......
extensions/libxt_statistic.t 0 → 100644
View file @ dd6b25de
:INPUT,FORWARD,OUTPUT
-m statistic;;FAIL
-m statistic --mode random ! --probability 0.50000000000;=;OK
-m statistic --mode random ! --probability 1.1;;FAIL
-m statistic --probability 1;;FAIL
-m statistic --mode nth ! --every 5 --packet 2;=;OK
-m statistic --mode nth ! --every 5;;FAIL
-m statistic --mode nth ! --every 5 --packet 5;;FAIL
extensions/libxt_string.t 0 → 100644
View file @ dd6b25de
:INPUT,FORWARD,OUTPUT
# ERROR: cannot find: iptables -I INPUT -m string --algo bm --string "test"
# -m string --algo bm --string "test";=;OK
# ERROR: cannot find: iptables -I INPUT -m string --algo kmp --string "test")
# -m string --algo kmp --string "test";=;OK
# ERROR: cannot find: iptables -I INPUT -m string --algo kmp ! --string "test"
# -m string --algo kmp ! --string "test";=;OK
# cannot find: iptables -I INPUT -m string --algo bm --string "xxxxxxxxxxx" ....]
# -m string --algo bm --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";=;OK
# ERROR: cannot load: iptables -A INPUT -m string --algo bm --string "xxxx"
# -m string --algo bm --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";=;OK
# ERROR: cannot load: iptables -A INPUT -m string --algo bm --hexstring "|0a0a0a0a|"
# -m string --algo bm --hexstring "|0a0a0a0a|";=;OK
# ERROR: cannot find: iptables -I INPUT -m string --algo bm --from 0 --to 65535 --string "test"
# -m string --algo bm --from 0 --to 65535 --string "test";=;OK
-m string --algo wrong;;FAIL
-m string --algo bm;;FAIL
-m string;;FAIL
extensions/libxt_tcp.c
View file @ dd6b25de
......@@ -362,6 +362,89 @@ static void tcp_save(const void *ip, const struct xt_entry_match *match)
}
}
static const struct tcp_flag_names tcp_flag_names_xlate[] = {
{ "fin", 0x01 },
{ "syn", 0x02 },
{ "rst", 0x04 },
{ "psh", 0x08 },
{ "ack", 0x10 },
{ "urg", 0x20 },
};
static void print_tcp_xlate(struct xt_xlate *xl, uint8_t flags)
{
int have_flag = 0;
while (flags) {
unsigned int i;
for (i = 0; (flags & tcp_flag_names_xlate[i].flag) == 0; i++);
if (have_flag)
xt_xlate_add(xl, "|");
xt_xlate_add(xl, "%s", tcp_flag_names_xlate[i].name);
have_flag = 1;
flags &= ~tcp_flag_names_xlate[i].flag;
}
if (!have_flag)
xt_xlate_add(xl, "0x0");
}
static int tcp_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct xt_tcp *tcpinfo =
(const struct xt_tcp *)params->match->data;
char *space= "";
if (tcpinfo->spts[0] != 0 || tcpinfo->spts[1] != 0xffff) {
if (tcpinfo->spts[0] != tcpinfo->spts[1]) {
xt_xlate_add(xl, "tcp sport %s%u-%u",
tcpinfo->invflags & XT_TCP_INV_SRCPT ?
"!= " : "",
tcpinfo->spts[0], tcpinfo->spts[1]);
} else {
xt_xlate_add(xl, "tcp sport %s%u",
tcpinfo->invflags & XT_TCP_INV_SRCPT ?
"!= " : "",
tcpinfo->spts[0]);
}
space = " ";
}
if (tcpinfo->dpts[0] != 0 || tcpinfo->dpts[1] != 0xffff) {
if (tcpinfo->dpts[0] != tcpinfo->dpts[1]) {
xt_xlate_add(xl, "%stcp dport %s%u-%u", space,
tcpinfo->invflags & XT_TCP_INV_DSTPT ?
"!= " : "",
tcpinfo->dpts[0], tcpinfo->dpts[1]);
} else {
xt_xlate_add(xl, "%stcp dport %s%u", space,
tcpinfo->invflags & XT_TCP_INV_DSTPT ?
"!= " : "",
tcpinfo->dpts[0]);
}
space = " ";
}
/* XXX not yet implemented */
if (tcpinfo->option || (tcpinfo->invflags & XT_TCP_INV_OPTION))
return 0;
if (tcpinfo->flg_mask || (tcpinfo->invflags & XT_TCP_INV_FLAGS)) {
xt_xlate_add(xl, "%stcp flags & ", space);
print_tcp_xlate(xl, tcpinfo->flg_mask);
xt_xlate_add(xl, " %s ",
tcpinfo->invflags & XT_TCP_INV_FLAGS ? "!=": "==");
print_tcp_xlate(xl, tcpinfo->flg_cmp);
}
return 1;
}
static struct xtables_match tcp_match = {
.family = NFPROTO_UNSPEC,
.name = "tcp",
......@@ -374,6 +457,7 @@ static struct xtables_match tcp_match = {
.print = tcp_print,
.save = tcp_save,
.extra_opts = tcp_opts,
.xlate = tcp_xlate,
};
void
......
extensions/libxt_tcp.t 0 → 100644
View file @ dd6b25de
:INPUT,FORWARD,OUTPUT
-p tcp -m tcp --sport 1;=;OK
-p tcp -m tcp --sport 65535;=;OK
-p tcp -m tcp --dport 1;=;OK
-p tcp -m tcp --dport 65535;=;OK
-p tcp -m tcp --sport 1:1023;=;OK
-p tcp -m tcp --sport 1024:65535;=;OK
-p tcp -m tcp --sport 1024:;-p tcp -m tcp --sport 1024:65535;OK
-p tcp -m tcp ! --sport 1;=;OK
-p tcp -m tcp ! --sport 65535;=;OK
-p tcp -m tcp ! --dport 1;=;OK
-p tcp -m tcp ! --dport 65535;=;OK
-p tcp -m tcp --sport 1 --dport 65535;=;OK
-p tcp -m tcp --sport 65535 --dport 1;=;OK
-p tcp -m tcp ! --sport 1 --dport 65535;=;OK
-p tcp -m tcp ! --sport 65535 --dport 1;=;OK
-p tcp -m tcp --sport 65536;;FAIL
-p tcp -m tcp --sport -1;;FAIL
-p tcp -m tcp --dport -1;;FAIL
-p tcp -m tcp --syn;-p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN;OK
-p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN;=;OK
-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN;=;OK
-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN;=;OK
-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST;=;OK
# should we accept this below?
-p tcp -m tcp;=;OK
extensions/libxt_tcpmss.t 0 → 100644
View file @ dd6b25de
:INPUT,FORWARD,OUTPUT
-m tcpmss --mss 42;;FAIL
-p tcp -m tcpmss --mss 42;=;OK
-p tcp -m tcpmss --mss 42:12345;=;OK
-p tcp -m tcpmss --mss 42:65536;;FAIL
extensions/libxt_time.t 0 → 100644
View file @ dd6b25de
:INPUT,FORWARD,OUTPUT
-m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz;=;OK
-m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05;=;OK
-m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00;=;OK
extensions/libxt_tos.t 0 → 100644
View file @ dd6b25de
:INPUT,FORWARD,OUTPUT
-m tos --tos Minimize-Delay;-m tos --tos 0x10/0x3f;OK
-m tos --tos Maximize-Throughput;-m tos --tos 0x08/0x3f;OK
-m tos --tos Maximize-Reliability;-m tos --tos 0x04/0x3f;OK
-m tos --tos Minimize-Cost;-m tos --tos 0x02/0x3f;OK
-m tos --tos Normal-Service;-m tos --tos 0x00/0x3f;OK
-m tos --tos 0xff;=;OK
-m tos ! --tos 0xff;=;OK
-m tos --tos 0x00;=;OK
-m tos --tos 0x0f;=;OK
-m tos --tos 0x0f/0x0f;=;OK
-m tos --tos wrong;;FAIL
-m tos;;FAIL
extensions/libxt_u32.t 0 → 100644
View file @ dd6b25de
:INPUT,FORWARD,OUTPUT
-m u32 --u32 "0x0=0x0&&0x0=0x1";=;OK
extensions/libxt_udp.c
View file @ dd6b25de
......@@ -152,6 +152,44 @@ static void udp_save(const void *ip, const struct xt_entry_match *match)
}
}
static int udp_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct xt_udp *udpinfo = (struct xt_udp *)params->match->data;
char *space= "";
if (udpinfo->spts[0] != 0 || udpinfo->spts[1] != 0xFFFF) {
if (udpinfo->spts[0] != udpinfo->spts[1]) {
xt_xlate_add(xl,"udp sport %s%u-%u",
udpinfo->invflags & XT_UDP_INV_SRCPT ?
"!= ": "",
udpinfo->spts[0], udpinfo->spts[1]);
} else {
xt_xlate_add(xl, "udp sport %s%u",
udpinfo->invflags & XT_UDP_INV_SRCPT ?
"!= ": "",
udpinfo->spts[0]);
}
space = " ";
}
if (udpinfo->dpts[0] != 0 || udpinfo->dpts[1] != 0xFFFF) {
if (udpinfo->dpts[0] != udpinfo->dpts[1]) {
xt_xlate_add(xl,"%sudp dport %s%u-%u", space,
udpinfo->invflags & XT_UDP_INV_SRCPT ?
"!= ": "",
udpinfo->dpts[0], udpinfo->dpts[1]);
} else {
xt_xlate_add(xl,"%sudp dport %s%u", space,
udpinfo->invflags & XT_UDP_INV_SRCPT ?
"!= ": "",
udpinfo->dpts[0]);
}
}
return 1;
}
static struct xtables_match udp_match = {
.family = NFPROTO_UNSPEC,
.name = "udp",
......@@ -164,6 +202,7 @@ static struct xtables_match udp_match = {
.save = udp_save,
.x6_parse = udp_parse,
.x6_options = udp_opts,
.xlate = udp_xlate,
};
void
......
extensions/libxt_udp.t 0 → 100644
View file @ dd6b25de
:INPUT,OUTPUT,FORWARD
-p udp -m udp --sport 1;=;OK
-p udp -m udp --sport 65535;=;OK
-p udp -m udp --dport 1;=;OK
-p udp -m udp --dport 65535;=;OK
-p udp -m udp --sport 1:1023;=;OK
-p udp -m udp --sport 1024:65535;=;OK
-p udp -m udp --sport 1024:;-p udp -m udp --sport 1024:65535;OK
-p udp -m udp ! --sport 1;=;OK
-p udp -m udp ! --sport 65535;=;OK
-p udp -m udp ! --dport 1;=;OK
-p udp -m udp ! --dport 65535;=;OK
-p udp -m udp --sport 1 --dport 65535;=;OK
-p udp -m udp --sport 65535 --dport 1;=;OK
-p udp -m udp ! --sport 1 --dport 65535;=;OK
-p udp -m udp ! --sport 65535 --dport 1;=;OK
# ERRROR: should fail: iptables -A INPUT -p udp -m udp --sport 65536
# -p udp -m udp --sport 65536;;FAIL
-p udp -m udp --sport -1;;FAIL
-p udp -m udp --dport -1;;FAIL
# should we accept this below?
-p udp -m udp;=;OK
include/Makefile.in deleted 100644 → 0
View file @ 8fceaf37
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
# -*- Makefile -*-
VPATH = @srcdir@
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
@ENABLE_LIBIPQ_TRUE@am__append_1 = libipq/libipq.h
subdir = include
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(srcdir)/xtables-version.h.in $(am__include_HEADERS_DIST) \
$(nobase_include_HEADERS)
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_linker_flags.m4 \
$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
$(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES = xtables-version.h
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__include_HEADERS_DIST = libipq/libipq.h
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
for p in $$list; do echo "$$p $$p"; done | \
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
if (++n[$$2] == $(am__install_max)) \
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
END { for (dir in files) print dir, files[dir] }'
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"
HEADERS = $(include_HEADERS) $(nobase_include_HEADERS)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
# *not* preserved.
am__uniquify_input = $(AWK) '\
BEGIN { nonempty = 0; } \
{ items[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in items) print i; }; } \
'
# Make sure the list of sources is unique. This is necessary because,
# e.g., the same source file might be shared among _SOURCES variables
# for different programs/libraries.
am__define_uniq_tagged_files = \
list='$(am__tagged_files)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
pkgdatadir = @pkgdatadir@
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GREP = @GREP@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@
LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
RANLIB = @RANLIB@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
YFLAGS = @YFLAGS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
blacklist_4_modules = @blacklist_4_modules@
blacklist_6_modules = @blacklist_6_modules@
blacklist_a_modules = @blacklist_a_modules@
blacklist_b_modules = @blacklist_b_modules@
blacklist_modules = @blacklist_modules@
blacklist_x_modules = @blacklist_x_modules@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
kbuilddir = @kbuilddir@
kinclude_CPPFLAGS = @kinclude_CPPFLAGS@
ksourcedir = @ksourcedir@
libdir = @libdir@
libexecdir = @libexecdir@
libiptc_LDFLAGS2 = @libiptc_LDFLAGS2@
libmnl_CFLAGS = @libmnl_CFLAGS@
libmnl_LIBS = @libmnl_LIBS@
libnetfilter_conntrack_CFLAGS = @libnetfilter_conntrack_CFLAGS@
libnetfilter_conntrack_LIBS = @libnetfilter_conntrack_LIBS@
libnfnetlink_CFLAGS = @libnfnetlink_CFLAGS@
libnfnetlink_LIBS = @libnfnetlink_LIBS@
libnftnl_CFLAGS = @libnftnl_CFLAGS@
libnftnl_LIBS = @libnftnl_LIBS@
libxtables_vage = @libxtables_vage@
libxtables_vcurrent = @libxtables_vcurrent@
libxtables_vmajor = @libxtables_vmajor@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
noundef_LDFLAGS = @noundef_LDFLAGS@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
pkgconfigdir = @pkgconfigdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
regular_CFLAGS = @regular_CFLAGS@
regular_CPPFLAGS = @regular_CPPFLAGS@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xtlibdir = @xtlibdir@
include_HEADERS = $(am__append_1)
nobase_include_HEADERS = xtables.h xtables-version.h \
libiptc/ipt_kernel_headers.h libiptc/libiptc.h \
libiptc/libip6tc.h libiptc/libxtc.h libiptc/xtcshared.h
all: all-am
.SUFFIXES:
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu include/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu include/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
xtables-version.h: $(top_builddir)/config.status $(srcdir)/xtables-version.h.in
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
install-includeHEADERS: $(include_HEADERS)
@$(NORMAL_INSTALL)
@list='$(include_HEADERS)'; test -n "$(includedir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \
$(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
done | $(am__base_list) | \
while read files; do \
echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \
$(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \
done
uninstall-includeHEADERS:
@$(NORMAL_UNINSTALL)
@list='$(include_HEADERS)'; test -n "$(includedir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir)
install-nobase_includeHEADERS: $(nobase_include_HEADERS)
@$(NORMAL_INSTALL)
@list='$(nobase_include_HEADERS)'; test -n "$(includedir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \
$(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \
fi; \
$(am__nobase_list) | while read dir files; do \
xfiles=; for file in $$files; do \
if test -f "$$file"; then xfiles="$$xfiles $$file"; \
else xfiles="$$xfiles $(srcdir)/$$file"; fi; done; \
test -z "$$xfiles" || { \
test "x$$dir" = x. || { \
echo " $(MKDIR_P) '$(DESTDIR)$(includedir)/$$dir'"; \
$(MKDIR_P) "$(DESTDIR)$(includedir)/$$dir"; }; \
echo " $(INSTALL_HEADER) $$xfiles '$(DESTDIR)$(includedir)/$$dir'"; \
$(INSTALL_HEADER) $$xfiles "$(DESTDIR)$(includedir)/$$dir" || exit $$?; }; \
done
uninstall-nobase_includeHEADERS:
@$(NORMAL_UNINSTALL)
@list='$(nobase_include_HEADERS)'; test -n "$(includedir)" || list=; \
$(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \
dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir)
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
tags: tags-am
TAGS: tags
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
set x; \
here=`pwd`; \
$(am__define_uniq_tagged_files); \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
if test $$# -gt 0; then \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
"$$@" $$unique; \
else \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
$$unique; \
fi; \
fi
ctags: ctags-am
CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
$(am__define_uniq_tagged_files); \
test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$unique
GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
cscopelist: cscopelist-am
cscopelist-am: $(am__tagged_files)
list='$(am__tagged_files)'; \
case "$(srcdir)" in \
[\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
*) sdir=$(subdir)/$(srcdir) ;; \
esac; \
for i in $$list; do \
if test -f "$$i"; then \
echo "$(subdir)/$$i"; \
else \
echo "$$sdir/$$i"; \
fi; \
done >> $(top_builddir)/cscope.files
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
check-am: all-am
check: check-am
all-am: Makefile $(HEADERS)
installdirs:
for dir in "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
install-exec: install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
clean-am: clean-generic clean-libtool mostlyclean-am
distclean: distclean-am
-rm -f Makefile
distclean-am: clean-am distclean-generic distclean-tags
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am: install-includeHEADERS install-nobase_includeHEADERS
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am:
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man:
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
uninstall-am: uninstall-includeHEADERS uninstall-nobase_includeHEADERS
.MAKE: install-am install-strip
.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
clean-libtool cscopelist-am ctags ctags-am distclean \
distclean-generic distclean-libtool distclean-tags distdir dvi \
dvi-am html html-am info info-am install install-am \
install-data install-data-am install-dvi install-dvi-am \
install-exec install-exec-am install-html install-html-am \
install-includeHEADERS install-info install-info-am \
install-man install-nobase_includeHEADERS install-pdf \
install-pdf-am install-ps install-ps-am install-strip \
installcheck installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic \
mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
uninstall-am uninstall-includeHEADERS \
uninstall-nobase_includeHEADERS
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
include/linux/netfilter/xt_NFLOG.h
View file @ dd6b25de
......@@ -6,9 +6,13 @@
#define XT_NFLOG_DEFAULT_GROUP 0x1
#define XT_NFLOG_DEFAULT_THRESHOLD 0
#define XT_NFLOG_MASK 0x0
#define XT_NFLOG_MASK 0x1
/* This flag indicates that 'len' field in xt_nflog_info is set*/
#define XT_NFLOG_F_COPY_LEN 0x1
struct xt_nflog_info {
/* 'len' will be used iff you set XT_NFLOG_F_COPY_LEN in flags */
__u32 len;
__u16 group;
__u16 threshold;
......
include/linux/netfilter/xt_cgroup.h
View file @ dd6b25de
......@@ -2,10 +2,23 @@
#define _XT_CGROUP_H
#include <linux/types.h>
#include <linux/limits.h>
struct xt_cgroup_info {
struct xt_cgroup_info_v0 {
__u32 id;
__u32 invert;
};
struct xt_cgroup_info_v1 {
__u8 has_path;
__u8 has_classid;
__u8 invert_path;
__u8 invert_classid;
char path[PATH_MAX];
__u32 classid;
/* kernel internal data */
void *priv __attribute__((aligned(8)));
};
#endif /* _XT_CGROUP_H */
include/linux/netfilter/xt_hashlimit.h
View file @ dd6b25de
......@@ -5,8 +5,10 @@
/* timings are in milliseconds. */
#define XT_HASHLIMIT_SCALE 10000
#define XT_HASHLIMIT_SCALE_v2 1000000llu
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
seconds, or one packet every 59 hours. */
* seconds, or one packet every 59 hours.
*/
/* packet length accounting is done in 16-byte steps */
#define XT_HASHLIMIT_BYTE_SHIFT 4
......@@ -61,6 +63,20 @@ struct hashlimit_cfg1 {
__u8 srcmask, dstmask;
};
struct hashlimit_cfg2 {
__u64 avg; /* Average secs between packets * scale */
__u64 burst; /* Period multiplier for upper limit. */
__u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */
/* user specified */
__u32 size; /* how many buckets */
__u32 max; /* max number of entries */
__u32 gc_interval; /* gc interval */
__u32 expire; /* when do entries expire? */
__u8 srcmask, dstmask;
};
struct xt_hashlimit_mtinfo1 {
char name[IFNAMSIZ];
struct hashlimit_cfg1 cfg;
......@@ -69,4 +85,12 @@ struct xt_hashlimit_mtinfo1 {
struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
};
struct xt_hashlimit_mtinfo2 {
char name[NAME_MAX];
struct hashlimit_cfg2 cfg;
/* Used internally by the kernel */
struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
};
#endif /*_XT_HASHLIMIT_H*/
include/xtables.h
View file @ dd6b25de
......@@ -205,9 +205,24 @@ enum xtables_ext_flags {
XTABLES_EXT_ALIAS = 1 << 0,
};
struct xt_xlate;
struct xt_xlate_mt_params {
const void *ip;
const struct xt_entry_match *match;
int numeric;
bool escape_quotes;
};
struct xt_xlate_tg_params {
const void *ip;
const struct xt_entry_target *target;
int numeric;
bool escape_quotes;
};
/* Include file for additions: new matches and targets. */
struct xtables_match
{
struct xtables_match {
/*
* ABI/API version this module requires. Must be first member,
* as the rest of this struct may be subject to ABI changes.
......@@ -269,6 +284,10 @@ struct xtables_match
void (*x6_fcheck)(struct xt_fcheck_call *);
const struct xt_option_entry *x6_options;
/* Translate iptables to nft */
int (*xlate)(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params);
/* Size of per-extension instance extra "global" scratch space */
size_t udata_size;
......@@ -280,8 +299,7 @@ struct xtables_match
unsigned int loaded; /* simulate loading so options are merged properly */
};
struct xtables_target
{
struct xtables_target {
/*
* ABI/API version this module requires. Must be first member,
* as the rest of this struct may be subject to ABI changes.
......@@ -346,6 +364,10 @@ struct xtables_target
void (*x6_fcheck)(struct xt_fcheck_call *);
const struct xt_option_entry *x6_options;
/* Translate iptables to nft */
int (*xlate)(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params);
size_t udata_size;
/* Ignore these men behind the curtain: */
......@@ -406,6 +428,17 @@ struct xtables_globals
#define XT_GETOPT_TABLEEND {.name = NULL, .has_arg = false}
/*
* enum op-
*
* For writing clean nftables translations code
*/
enum xt_op {
XT_OP_EQ,
XT_OP_NEQ,
XT_OP_MAX,
};
#ifdef __cplusplus
extern "C" {
#endif
......@@ -548,6 +581,14 @@ extern void xtables_lmap_free(struct xtables_lmap *);
extern int xtables_lmap_name2id(const struct xtables_lmap *, const char *);
extern const char *xtables_lmap_id2name(const struct xtables_lmap *, int);
/* xlate infrastructure */
struct xt_xlate *xt_xlate_alloc(int size);
void xt_xlate_free(struct xt_xlate *xl);
void xt_xlate_add(struct xt_xlate *xl, const char *fmt, ...);
void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment);
const char *xt_xlate_get_comment(struct xt_xlate *xl);
const char *xt_xlate_get(struct xt_xlate *xl);
#ifdef XTABLES_INTERNAL
/* Shipped modules rely on this... */
......
iptables-test.py 0 → 100755
View file @ dd6b25de
#!/usr/bin/python
#
# (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This software has been sponsored by Sophos Astaro <http://www.sophos.com>
#
import sys
import os
import subprocess
import argparse
IPTABLES = "iptables"
IP6TABLES = "ip6tables"
#IPTABLES = "xtables -4"
#IP6TABLES = "xtables -6"
IPTABLES_SAVE = "iptables-save"
IP6TABLES_SAVE = "ip6tables-save"
#IPTABLES_SAVE = ['xtables-save','-4']
#IP6TABLES_SAVE = ['xtables-save','-6']
EXTENSIONS_PATH = "extensions"
LOGFILE="/tmp/iptables-test.log"
log_file = None
class Colors:
HEADER = '\033[95m'
BLUE = '\033[94m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RED = '\033[91m'
ENDC = '\033[0m'
def print_error(reason, filename=None, lineno=None):
'''
Prints an error with nice colors, indicating file and line number.
'''
print (filename + ": " + Colors.RED + "ERROR" +
Colors.ENDC + ": line %d (%s)" % (lineno, reason))
def delete_rule(iptables, rule, filename, lineno):
'''
Removes an iptables rule
'''
cmd = iptables + " -D " + rule
ret = execute_cmd(cmd, filename, lineno)
if ret == 1:
reason = "cannot delete: " + iptables + " -I " + rule
print_error(reason, filename, lineno)
return -1
return 0
def run_test(iptables, rule, rule_save, res, filename, lineno):
'''
Executes an unit test. Returns the output of delete_rule().
Parameters:
:param iptables: string with the iptables command to execute
:param rule: string with iptables arguments for the rule to test
:param rule_save: string to find the rule in the output of iptables -save
:param res: expected result of the rule. Valid values: "OK", "FAIL"
:param filename: name of the file tested (used for print_error purposes)
:param lineno: line number being tested (used for print_error purposes)
'''
ret = 0
cmd = iptables + " -A " + rule
ret = execute_cmd(cmd, filename, lineno)
#
# report failed test
#
if ret:
if res == "OK":
reason = "cannot load: " + cmd
print_error(reason, filename, lineno)
return -1
else:
# do not report this error
return 0
else:
if res == "FAIL":
reason = "should fail: " + cmd
print_error(reason, filename, lineno)
delete_rule(iptables, rule, filename, lineno)
return -1
matching = 0
splitted = iptables.split(" ")
if len(splitted) == 2:
if splitted[1] == '-4':
command = IPTABLES_SAVE
elif splitted[1] == '-6':
command = IP6TABLES_SAVE
elif len(splitted) == 1:
if splitted[0] == IPTABLES:
command = IPTABLES_SAVE
elif splitted[0] == IP6TABLES:
command = IP6TABLES_SAVE
args = splitted[1:]
proc = subprocess.Popen(command, stdin=subprocess.PIPE,
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
out, err = proc.communicate()
#
# check for segfaults
#
if proc.returncode == -11:
reason = "iptables-save segfaults: " + cmd
print_error(reason, filename, lineno)
delete_rule(iptables, rule, filename, lineno)
return -1
# find the rule
matching = out.find(rule_save)
if matching < 0:
reason = "cannot find: " + iptables + " -I " + rule
print_error(reason, filename, lineno)
delete_rule(iptables, rule, filename, lineno)
return -1
return delete_rule(iptables, rule, filename, lineno)
def execute_cmd(cmd, filename, lineno):
'''
Executes a command, checking for segfaults and returning the command exit
code.
:param cmd: string with the command to be executed
:param filename: name of the file tested (used for print_error purposes)
:param lineno: line number being tested (used for print_error purposes)
'''
global log_file
print >> log_file, "command: %s" % cmd
ret = subprocess.call(cmd, shell=True, universal_newlines=True,
stderr=subprocess.STDOUT, stdout=log_file)
log_file.flush()
# generic check for segfaults
if ret == -11:
reason = "command segfaults: " + cmd
print_error(reason, filename, lineno)
return ret
def run_test_file(filename):
'''
Runs a test file
:param filename: name of the file with the test rules
'''
#
# if this is not a test file, skip.
#
if not filename.endswith(".t"):
return 0, 0
if "libipt_" in filename:
iptables = IPTABLES
elif "libip6t_" in filename:
iptables = IP6TABLES
elif "libxt_" in filename:
iptables = IPTABLES
else:
# default to iptables if not known prefix
iptables = IPTABLES
f = open(filename)
tests = 0
passed = 0
table = ""
total_test_passed = True
for lineno, line in enumerate(f):
if line[0] == "#":
continue
if line[0] == ":":
chain_array = line.rstrip()[1:].split(",")
continue
# external non-iptables invocation, executed as is.
if line[0] == "@":
external_cmd = line.rstrip()[1:]
execute_cmd(external_cmd, filename, lineno)
continue
if line[0] == "*":
table = line.rstrip()[1:]
continue
if len(chain_array) == 0:
print "broken test, missing chain, leaving"
sys.exit()
test_passed = True
tests += 1
for chain in chain_array:
item = line.split(";")
if table == "":
rule = chain + " " + item[0]
else:
rule = chain + " -t " + table + " " + item[0]
if item[1] == "=":
rule_save = chain + " " + item[0]
else:
rule_save = chain + " " + item[1]
res = item[2].rstrip()
ret = run_test(iptables, rule, rule_save,
res, filename, lineno + 1)
if ret < 0:
test_passed = False
total_test_passed = False
break
if test_passed:
passed += 1
if total_test_passed:
print filename + ": " + Colors.GREEN + "OK" + Colors.ENDC
f.close()
return tests, passed
def show_missing():
'''
Show the list of missing test files
'''
file_list = os.listdir(EXTENSIONS_PATH)
testfiles = [i for i in file_list if i.endswith('.t')]
libfiles = [i for i in file_list
if i.startswith('lib') and i.endswith('.c')]
def test_name(x):
return x[0:-2] + '.t'
missing = [test_name(i) for i in libfiles
if not test_name(i) in testfiles]
print '\n'.join(missing)
#
# main
#
def main():
parser = argparse.ArgumentParser(description='Run iptables tests')
parser.add_argument('filename', nargs='?',
metavar='path/to/file.t',
help='Run only this test')
parser.add_argument('-m', '--missing', action='store_true',
help='Check for missing tests')
args = parser.parse_args()
#
# show list of missing test files
#
if args.missing:
show_missing()
return
if os.getuid() != 0:
print "You need to be root to run this, sorry"
return
test_files = 0
tests = 0
passed = 0
# setup global var log file
global log_file
try:
log_file = open(LOGFILE, 'w')
except IOError:
print "Couldn't open log file %s" % LOGFILE
return
file_list = [os.path.join(EXTENSIONS_PATH, i)
for i in os.listdir(EXTENSIONS_PATH)]
if args.filename:
file_list = [args.filename]
for filename in file_list:
file_tests, file_passed = run_test_file(filename)
if file_tests:
tests += file_tests
passed += file_passed
test_files += 1
print ("%d test files, %d unit tests, %d passed" %
(test_files, tests, passed))
if __name__ == '__main__':
main()
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment