diff options
Diffstat (limited to 'iptables/tests')
11 files changed, 286 insertions, 7 deletions
diff --git a/iptables/tests/shell/run-tests.sh b/iptables/tests/shell/run-tests.sh index 65c37adb..7878760f 100755 --- a/iptables/tests/shell/run-tests.sh +++ b/iptables/tests/shell/run-tests.sh @@ -195,4 +195,4 @@ failed=$((legacy_fail+failed)) msg_info "combined results: [OK] $ok [FAILED] $failed [TOTAL] $((ok+failed))" -exit 0 +exit -$failed diff --git a/iptables/tests/shell/testcases/chain/0004extra-base_0 b/iptables/tests/shell/testcases/chain/0004extra-base_0 new file mode 100755 index 00000000..cc07e4be --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0004extra-base_0 @@ -0,0 +1,37 @@ +#!/bin/bash + +case $XT_MULTI in +*xtables-nft-multi) + ;; +*) + echo skip $XT_MULTI + exit 0 + ;; +esac + +set -e + +nft -f - <<EOF +table ip filter { + chain a { + type filter hook input priority filter + } + + chain INPUT { + type filter hook input priority filter + counter packets 218 bytes 91375 accept + } + + chain x { + type filter hook input priority filter + } +} +EOF + +EXPECT="# Table \`filter' contains incompatible base-chains, use 'nft' tool to list them. +-P INPUT ACCEPT +-P FORWARD ACCEPT +-P OUTPUT ACCEPT +-A INPUT -j ACCEPT" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -S) diff --git a/iptables/tests/shell/testcases/chain/0005base-delete_0 b/iptables/tests/shell/testcases/chain/0005base-delete_0 new file mode 100755 index 00000000..033a2819 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0005base-delete_0 @@ -0,0 +1,34 @@ +#!/bin/bash -x + +$XT_MULTI iptables -N foo || exit 1 +$XT_MULTI iptables -P FORWARD DROP || exit 1 +$XT_MULTI iptables -X || exit 1 +$XT_MULTI iptables -X foo && exit 1 + +# indefinite -X fails if a non-empty user-defined chain exists +$XT_MULTI iptables -N foo +$XT_MULTI iptables -N bar +$XT_MULTI iptables -A bar -j ACCEPT +$XT_MULTI iptables -X && exit 1 +$XT_MULTI iptables -D bar -j ACCEPT +$XT_MULTI iptables -X || exit 1 + +# make sure OUTPUT chain is created by iptables-nft +$XT_MULTI iptables -A OUTPUT -j ACCEPT || exit 1 +$XT_MULTI iptables -D OUTPUT -j ACCEPT || exit 1 + +case $XT_MULTI in +*xtables-nft-multi) + # must not delete chain FORWARD, its policy is not ACCEPT + $XT_MULTI iptables -X FORWARD && exit 1 + nft list chain ip filter FORWARD || exit 1 + # this should evict chain OUTPUT + $XT_MULTI iptables -X OUTPUT || exit 1 + nft list chain ip filter OUTPUT && exit 1 + ;; +*) + $XT_MULTI iptables -X FORWARD && exit 1 + $XT_MULTI iptables -X OUTPUT && exit 1 + ;; +esac +exit 0 diff --git a/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 b/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 new file mode 100755 index 00000000..d79f91b1 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 @@ -0,0 +1,41 @@ +#!/bin/bash + +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + +set -e + +# ebtables supports policies in user-defined chains %) +# and the default policy is ACCEPT ... +$XT_MULTI ebtables -N FOO -P DROP +$XT_MULTI ebtables -N BAR +$XT_MULTI ebtables -P BAR RETURN +$XT_MULTI ebtables -N BAZ + +EXPECT_BASE="*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT" + +EXPECT="$EXPECT_BASE +:BAR RETURN +:BAZ ACCEPT +:FOO DROP" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ebtables-save | grep -v '^#') + +# rule commands must not break the policies +$XT_MULTI ebtables -A FOO -j ACCEPT +$XT_MULTI ebtables -D FOO -j ACCEPT +$XT_MULTI ebtables -F +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ebtables-save | grep -v '^#') + +# dropping the chains must implicitly remove the policy rule as well +$XT_MULTI ebtables -X +diff -u -Z <(echo -e "$EXPECT_BASE") <($XT_MULTI ebtables-save | grep -v '^#') diff --git a/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 new file mode 100755 index 00000000..7eb42f08 --- /dev/null +++ b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 @@ -0,0 +1,24 @@ +#!/bin/bash + +set -e + +$XT_MULTI ip6tables-restore <<EOF +*filter +-A FORWARD -s feed:babe::/ffff::0 +-A FORWARD -s feed:babe::/ffff:ff00::0 +-A FORWARD -s feed:babe::/ffff:fff0::0 +-A FORWARD -s feed:babe::/ffff:ffff::0 +-A FORWARD -s feed:babe::/0:ffff::0 +-A FORWARD -s feed:c0ff::babe:f00/ffff::ffff:0 +COMMIT +EOF + +EXPECT='-P FORWARD ACCEPT +-A FORWARD -s feed::/16 +-A FORWARD -s feed:ba00::/24 +-A FORWARD -s feed:bab0::/28 +-A FORWARD -s feed:babe::/32 +-A FORWARD -s 0:babe::/0:ffff:: +-A FORWARD -s feed::babe:0/ffff::ffff:0' + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD) diff --git a/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 b/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 index 5c8748ec..d632cbc0 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 @@ -2,7 +2,7 @@ set -e -# make sure wait and wait-interval options are accepted +# make sure wait options are accepted clean_tempfile() { @@ -18,4 +18,3 @@ tmpfile=$(mktemp) || exit 1 $XT_MULTI iptables-save -f $tmpfile $XT_MULTI iptables-restore $tmpfile $XT_MULTI iptables-restore -w 5 $tmpfile -$XT_MULTI iptables-restore -w 5 -W 1 $tmpfile diff --git a/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 b/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 index fc8559c5..5daf7a78 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 @@ -33,6 +33,7 @@ Flushing chain \`bar' Flushing chain \`foo' Deleting chain \`bar' Deleting chain \`foo' +ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 Flushing chain \`PREROUTING' Flushing chain \`INPUT' Flushing chain \`OUTPUT' @@ -41,6 +42,7 @@ Flushing chain \`natbar' Flushing chain \`natfoo' Deleting chain \`natbar' Deleting chain \`natfoo' +ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 Flushing chain \`PREROUTING' Flushing chain \`OUTPUT' Flushing chain \`rawfoo' @@ -58,9 +60,10 @@ Flushing chain \`OUTPUT' Flushing chain \`secfoo' Deleting chain \`secfoo'" -for ipt in iptables-restore ip6tables-restore; do - diff -u -Z <(echo "$EXPECT") <($XT_MULTI $ipt -v <<< "$DUMP") -done +EXPECT6=$(sed -e 's/0\.0\.0\.0/::/g' -e 's/opt --/opt /' <<< "$EXPECT") + +diff -u -Z <(echo "$EXPECT") <($XT_MULTI iptables-restore -v <<< "$DUMP") +diff -u -Z <(echo "$EXPECT6") <($XT_MULTI ip6tables-restore -v <<< "$DUMP") DUMP="*filter :baz - [0:0] diff --git a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 index b1ef91f6..5d2af4c8 100755 --- a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 +++ b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 @@ -54,3 +54,14 @@ diff -u <(echo "Flushing chain \`foobar'") <($XT_MULTI iptables -v -F foobar) diff -u <(echo "Zeroing chain \`foobar'") <($XT_MULTI iptables -v -Z foobar) diff -u <(echo "Deleting chain \`foobar'") <($XT_MULTI iptables -v -X foobar) + +# make sure non-verbose mode is silent +diff -u <(echo -n "") <( + $XT_MULTI iptables -N foobar + $XT_MULTI iptables -A foobar $RULE1 + $XT_MULTI iptables -A foobar $RULE2 + $XT_MULTI iptables -C foobar $RULE1 + $XT_MULTI iptables -D foobar $RULE2 + $XT_MULTI iptables -F foobar + $XT_MULTI iptables -X foobar +) diff --git a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 b/iptables/tests/shell/testcases/iptables/0004-return-codes_0 index dcd9dfd3..33c5f1f3 100755 --- a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 +++ b/iptables/tests/shell/testcases/iptables/0004-return-codes_0 @@ -39,7 +39,7 @@ E2BIG_D=": Index of deletion too big." E2BIG_R=": Index of replacement too big." EBADRULE=": Bad rule (does a matching rule exist in that chain?)." #ENOTGT=" v[0-9\.]* [^ ]*: Couldn't load target \`foobar':No such file or directory" -ENOMTH=" v[0-9\.]* [^ ]*: Couldn't load match \`foobar':No such file or directory" +ENOMTH=" v[0-9\.]* [^ ]*: Couldn't \(load\|find\) match \`foobar'\(:No such file or directory\|\)" ENOTBL=": can't initialize iptables table \`foobar': Table does not exist" # test chain creation diff --git a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 new file mode 100755 index 00000000..36da1907 --- /dev/null +++ b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 @@ -0,0 +1,64 @@ +#!/bin/bash + +RC=0 +COUNTR=$RANDOM$RANDOM + +$XT_MULTI iptables-restore -c <<EOF +*filter +:INPUT ACCEPT [1:23] +:FOO - [0:0] +[12:345] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR" +[22:123] -A FOO -m comment --comment one +[44:123] -A FOO -m comment --comment two +COMMIT +EOF +EXPECT="*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:FOO - [0:0] +[0:0] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR" +[0:0] -A FOO -m comment --comment one +[0:0] -A FOO -m comment --comment two +COMMIT" + +COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ") +if [ $COUNTER != "[12:345]" ]; then + echo "Counter $COUNTER is wrong, expected 12:345" + RC=1 +fi + +$XT_MULTI iptables -Z FOO +COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ") +if [ $COUNTER = "[0:0]" ]; then + echo "Counter $COUNTER is wrong, should not have been zeroed" + RC=1 +fi + +for c in one two; do + COUNTER=$($XT_MULTI iptables-save -c |grep "comment $c"| cut -f 1 -d " ") + if [ $COUNTER != "[0:0]" ]; then + echo "Counter $COUNTER is wrong, should have been zeroed at rule $c" + RC=1 + fi +done + +$XT_MULTI iptables -Z +COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ") + +if [ $COUNTER != "[0:0]" ]; then + echo "Counter $COUNTER is wrong, expected 0:0 after -Z" + RC=1 +fi + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save -c | grep -v '^#') +if [ $? -ne 0 ]; then + echo "Diff error: counters were not zeroed" + RC=1 +fi + +$XT_MULTI iptables -D INPUT -i lo -p icmp -m comment --comment "$COUNTR" +$XT_MULTI iptables -D FOO -m comment --comment one +$XT_MULTI iptables -D FOO -m comment --comment two +$XT_MULTI iptables -X FOO +exit $RC diff --git a/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 new file mode 100755 index 00000000..983531fe --- /dev/null +++ b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 @@ -0,0 +1,66 @@ +#!/bin/bash + +# iptables may print match/target specific help texts +# help output should work for unprivileged users + +run() { + echo "running: $*" >&2 + runuser -u nobody -- "$@" +} + +grep_or_rc() { + declare -g rc + grep -q "$*" && return 0 + echo "missing in output: $*" >&2 + return 1 +} + +out=$(run $XT_MULTI iptables --help) +let "rc+=$?" +grep_or_rc "iptables -h (print this help information)" <<< "$out" +let "rc+=$?" + +out=$(run $XT_MULTI iptables -m limit --help) +let "rc+=$?" +grep_or_rc "limit match options:" <<< "$out" +let "rc+=$?" + +out=$(run $XT_MULTI iptables -p tcp --help) +let "rc+=$?" +grep_or_rc "tcp match options:" <<< "$out" +let "rc+=$?" + +out=$(run $XT_MULTI iptables -j DNAT --help) +let "rc+=$?" +grep_or_rc "DNAT target options:" <<< "$out" +let "rc+=$?" + +# TEE has no revision 0 +out=$(run $XT_MULTI iptables -j TEE --help) +let "rc+=$?" +grep_or_rc "TEE target options:" <<< "$out" +let "rc+=$?" + +out=$(run $XT_MULTI iptables -p tcp -j DNAT --help) +let "rc+=$?" +grep_or_rc "tcp match options:" <<< "$out" +let "rc+=$?" +out=$(run $XT_MULTI iptables -p tcp -j DNAT --help) +let "rc+=$?" +grep_or_rc "DNAT target options:" <<< "$out" +let "rc+=$?" + + +run $XT_MULTI iptables -L 2>&1 | \ + grep_or_rc "Permission denied" +let "rc+=$?" + +run $XT_MULTI iptables -A FORWARD -p tcp --dport 123 2>&1 | \ + grep_or_rc "Permission denied" +let "rc+=$?" + +run $XT_MULTI iptables -A FORWARD -j DNAT --to-destination 1.2.3.4 2>&1 | \ + grep_or_rc "Permission denied" +let "rc+=$?" + +exit $rc |