• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/bash
2
3have_nft=false
4nft -v > /dev/null && have_nft=true
5
6dumpfile=""
7tmpfile=""
8
9set -e
10
11clean()
12{
13	$XT_MULTI iptables -t filter -F
14	$XT_MULTI iptables -t filter -X
15	$have_nft && nft flush ruleset
16}
17
18clean_tempfile()
19{
20	[ -n "${tmpfile}" ] && rm -f "${tmpfile}"
21	[ -n "${dumpfile}" ] && rm -f "${dumpfile}"
22	clean
23}
24
25trap clean_tempfile EXIT
26
27ENTRY_NUM=$((RANDOM%10))
28UCHAIN_NUM=$((RANDOM%10))
29
30get_target()
31{
32	if [ $UCHAIN_NUM -eq 0 ]; then
33		echo -n "ACCEPT"
34		return
35	fi
36
37
38	x=$((RANDOM%2))
39	if [ $x -eq 0 ];then
40		echo -n "ACCEPT"
41	else
42		printf -- "UC-%x" $((RANDOM%UCHAIN_NUM))
43	fi
44}
45
46make_dummy_rules()
47{
48	echo "*${1:-filter}"
49	echo ":INPUT ACCEPT [0:0]"
50	echo ":FORWARD ACCEPT [0:0]"
51	echo ":OUTPUT ACCEPT [0:0]"
52
53	if [ $UCHAIN_NUM -gt 0 ]; then
54		for i in $(seq 0 $UCHAIN_NUM); do
55			printf -- ":UC-%x - [0:0]\n" $i
56		done
57	fi
58
59	for proto in tcp udp sctp; do
60		for i in $(seq 0 $ENTRY_NUM); do
61			t=$(get_target)
62			printf -- "-A INPUT -i lo -p $proto --dport %d -j %s\n" $((61000-i)) $t
63			t=$(get_target)
64			printf -- "-A FORWARD -i lo -o lo -p $proto --dport %d -j %s\n" $((61000-i)) $t
65			t=$(get_target)
66			printf -- "-A OUTPUT -o lo -p $proto --dport %d -j %s\n" $((61000-i)) $t
67			[ $UCHAIN_NUM -gt 0 ] && printf -- "-A UC-%x -j ACCEPT\n" $((RANDOM%UCHAIN_NUM))
68		done
69	done
70	echo COMMIT
71}
72
73tmpfile=$(mktemp) || exit 1
74dumpfile=$(mktemp) || exit 1
75
76(make_dummy_rules; make_dummy_rules security) > $dumpfile
77$XT_MULTI iptables-restore -w < $dumpfile
78LINES1=$(wc -l < $dumpfile)
79$XT_MULTI iptables-save | grep -v '^#' > $dumpfile
80LINES2=$(wc -l < $dumpfile)
81
82if [ $LINES1 -ne $LINES2 ]; then
83	echo "Original dump has $LINES1, not $LINES2" 1>&2
84	exit 111
85fi
86
87case "$XT_MULTI" in
88*xtables-nft-multi)
89	attempts=$((RANDOM%10))
90	attempts=$((attempts+1))
91	;;
92*)
93	attempts=1
94	;;
95esac
96
97while [ $attempts -gt 0 ]; do
98	attempts=$((attempts-1))
99
100	clean
101
102	for i in $(seq 1 10); do
103		$XT_MULTI iptables-restore -w 15 < $dumpfile &
104	done
105
106	for i in $(seq 1 10); do
107		# causes exit in case ipt-restore failed (runs with set -e)
108		wait %$i
109	done
110
111	$XT_MULTI iptables-save | grep -v '^#' > $tmpfile
112
113	clean
114	cmp $tmpfile $dumpfile
115done
116
117exit 0
118