1From 0663cc944204ed3afa7fa4f7cf3beadb3ea8e1e4 Mon Sep 17 00:00:00 2001 2From: chenzhen <vchanger123456@163.com> 3Date: Fri, 1 Apr 2022 11:26:32 +0800 4Subject: [PATCH] tests: extensions: add some testcases 5 6These testcases are intended to test options of commonly used extentions like 7DNAT/SNAT/tcp/udp as much as possible, covering normal and abnormal scenes. 8 9Signed-off-by: chenzhen <vchanger123456@163.com> 10--- 11 extensions/libip6t_DNAT.t | 10 ++++++++++ 12 extensions/libip6t_DNAT.txlate | 3 +++ 13 extensions/libip6t_LOG.t | 1 + 14 extensions/libip6t_LOG.txlate | 9 +++++++++ 15 extensions/libip6t_MASQUERADE.t | 1 + 16 extensions/libip6t_REDIRECT.t | 3 +++ 17 extensions/libip6t_REJECT.t | 2 ++ 18 extensions/libip6t_SNAT.t | 9 +++++++++ 19 extensions/libip6t_connlimit.t | 16 ++++++++++++++++ 20 extensions/libip6t_icmp6.t | 5 +++++ 21 extensions/libip6t_rt.t | 6 ++++++ 22 extensions/libip6t_rt.txlate | 3 +++ 23 extensions/libipt_DNAT.t | 9 +++++++++ 24 extensions/libipt_DNAT.txlate | 3 +++ 25 extensions/libipt_LOG.t | 1 + 26 extensions/libipt_LOG.txlate | 9 +++++++++ 27 extensions/libipt_MASQUERADE.t | 1 + 28 extensions/libipt_NETMAP.t | 1 + 29 extensions/libipt_REDIRECT.t | 3 +++ 30 extensions/libipt_REJECT.t | 2 ++ 31 extensions/libipt_SNAT.t | 9 +++++++++ 32 extensions/libipt_icmp.t | 5 +++++ 33 extensions/libxt_iprange.t | 8 +++----- 34 extensions/libxt_limit.t | 8 ++++++++ 35 extensions/libxt_standard.t | 1 + 36 extensions/libxt_string.t | 33 +++++++++++++++++++-------------- 37 extensions/libxt_tcp.t | 3 +++ 38 iptables-test.py | 22 ++++++++++++++++++++++ 39 28 files changed, 167 insertions(+), 19 deletions(-) 40 create mode 100644 extensions/libip6t_connlimit.t 41 42diff --git a/extensions/libip6t_DNAT.t b/extensions/libip6t_DNAT.t 43index ec7d61f..e6de1fc 100644 44--- a/extensions/libip6t_DNAT.t 45+++ b/extensions/libip6t_DNAT.t 46@@ -13,4 +13,14 @@ 47 -p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1000-2000/65535;=;OK 48 -p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1000-2000/0;;FAIL 49 -p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1000-2000/65536;;FAIL 50+-p tcp -j DNAT --to-destination dead::beef --random --persistent;=;OK 51+-p tcp -j DNAT --to-destination [dead::beef;;FAIL 52+-p tcp -j DNAT --to-destination [dead::beef]:65536;;FAIL 53+-p tcp -j DNAT --to-destination [dead::beef]:1-65536;;FAIL 54+-p tcp -j DNAT --to-destination [dead::beef]:1:65535;;FAIL 55+-p tcp -j DNAT --to-destination [dead::beef]:2-1;;FAIL 56+-p tcp -j DNAT --to-destination live::beef;;FAIL 57+-p tcp -j DNAT --to-destination dead::beef-live::beef;;FAIL 58+-p tcp -j DNAT --to-destination :65535;=;OK 59 -j DNAT;;FAIL 60+-j DNAT -h;;OK 61diff --git a/extensions/libip6t_DNAT.txlate b/extensions/libip6t_DNAT.txlate 62index 03c4caf..e6b6218 100644 63--- a/extensions/libip6t_DNAT.txlate 64+++ b/extensions/libip6t_DNAT.txlate 65@@ -9,3 +9,6 @@ nft add rule ip6 nat prerouting meta l4proto tcp counter dnat to [fec0::1234]:80 66 67 ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:80 --random --persistent 68 nft add rule ip6 nat prerouting meta l4proto tcp counter dnat to [fec0::1234]:80 random,persistent 69+ 70+ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [dead::beef-dead::beef] 71+nft add rule ip6 nat prerouting meta l4proto tcp counter dnat to dead::beef 72diff --git a/extensions/libip6t_LOG.t b/extensions/libip6t_LOG.t 73index fbf5118..e3fb58f 100644 74--- a/extensions/libip6t_LOG.t 75+++ b/extensions/libip6t_LOG.t 76@@ -8,5 +8,6 @@ 77 -j LOG --log-prefix "test: " --log-tcp-options;=;OK 78 -j LOG --log-prefix "test: " --log-ip-options;=;OK 79 -j LOG --log-prefix "test: " --log-uid;=;OK 80+-j LOG --log-prefix "test: " --log-macdecode;=;OK 81 -j LOG --log-prefix "test: " --log-level bad;;FAIL 82 -j LOG --log-prefix;;FAIL 83diff --git a/extensions/libip6t_LOG.txlate b/extensions/libip6t_LOG.txlate 84index 2820a82..6fa47af 100644 85--- a/extensions/libip6t_LOG.txlate 86+++ b/extensions/libip6t_LOG.txlate 87@@ -6,3 +6,12 @@ nft add rule ip6 filter FORWARD meta l4proto tcp counter log level debug 88 89 ip6tables-translate -A FORWARD -p tcp -j LOG --log-prefix "Checking log" 90 nft add rule ip6 filter FORWARD meta l4proto tcp counter log prefix \"Checking log\" 91+ 92+ip6tables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid 93+nft add rule ip6 filter FORWARD meta l4proto tcp counter log flags tcp sequence,options flags ip options flags skuid 94+ 95+ip6tables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid --log-macdecode 96+nft add rule ip6 filter FORWARD meta l4proto tcp counter log flags all 97+ 98+ip6tables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-macdecode 99+nft add rule ip6 filter FORWARD meta l4proto tcp counter log flags tcp sequence flags ether 100diff --git a/extensions/libip6t_MASQUERADE.t b/extensions/libip6t_MASQUERADE.t 101index e25d2a0..e254fa7 100644 102--- a/extensions/libip6t_MASQUERADE.t 103+++ b/extensions/libip6t_MASQUERADE.t 104@@ -7,3 +7,4 @@ 105 -p udp -j MASQUERADE --to-ports 1024-65535;=;OK 106 -p udp -j MASQUERADE --to-ports 1024-65536;;FAIL 107 -p udp -j MASQUERADE --to-ports -1;;FAIL 108+-j MASQUERADE --to-ports 1024;;FAIL 109diff --git a/extensions/libip6t_REDIRECT.t b/extensions/libip6t_REDIRECT.t 110index a0fb0ed..4ea9f6e 100644 111--- a/extensions/libip6t_REDIRECT.t 112+++ b/extensions/libip6t_REDIRECT.t 113@@ -4,3 +4,6 @@ 114 -p udp -j REDIRECT --to-ports 42-1234;=;OK 115 -p tcp -j REDIRECT --to-ports 42-1234 --random;=;OK 116 -j REDIRECT --to-ports 42;;FAIL 117+-p tcp -j REDIRECT --to-ports -1;;FAIL 118+-p tcp -j REDIRECT --to-ports 42-65536;;FAIL 119+-j REDIRECT -h;;OK 120diff --git a/extensions/libip6t_REJECT.t b/extensions/libip6t_REJECT.t 121index d2b337d..0ac8824 100644 122--- a/extensions/libip6t_REJECT.t 123+++ b/extensions/libip6t_REJECT.t 124@@ -9,3 +9,5 @@ 125 -j REJECT --reject-with icmp6-reject-route;=;OK 126 -p tcp -j REJECT --reject-with tcp-reset;=;OK 127 -j REJECT --reject-with tcp-reset;;FAIL 128+-j REJECT --reject-with icmp6-wrong;;FAIL 129+-j REJECT -h;;OK 130diff --git a/extensions/libip6t_SNAT.t b/extensions/libip6t_SNAT.t 131index d188a6b..74ebd2b 100644 132--- a/extensions/libip6t_SNAT.t 133+++ b/extensions/libip6t_SNAT.t 134@@ -8,4 +8,13 @@ 135 -p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65535;=;OK 136 -p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65536;;FAIL 137 -p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65535 --to-source [dead::beef-dead::fee8]:1025-65535;;FAIL 138+-p tcp -j SNAT --to-source dead::beef --random --random-fully --persistent;=;OK 139+-p tcp -j SNAT --to-source :65535;=;OK 140+-p tcp -j SNAT --to-source [dead::beef;;FAIL 141+-p tcp -j SNAT --to-source [dead::beef]:1-65536;;FAIL 142+-p tcp -j SNAT --to-source [dead::beef]:1:65535;;FAIL 143+-p tcp -j SNAT --to-source [dead::beef]:2-1;;FAIL 144+-p tcp -j SNAT --to-source live::beef;;FAIL 145+-p tcp -j SNAT --to-source dead::beef-live::beef;;FAIL 146 -j SNAT;;FAIL 147+-j SNAT -h;;OK 148diff --git a/extensions/libip6t_connlimit.t b/extensions/libip6t_connlimit.t 149new file mode 100644 150index 0000000..808cef4 151--- /dev/null 152+++ b/extensions/libip6t_connlimit.t 153@@ -0,0 +1,16 @@ 154+:INPUT,FORWARD,OUTPUT 155+-m connlimit --connlimit-upto 0;=;OK 156+-m connlimit --connlimit-upto 4294967295;=;OK 157+-m connlimit --connlimit-upto 4294967296;;FAIL 158+-m connlimit --connlimit-upto -1;;FAIL 159+-m connlimit --connlimit-above 0;=;OK 160+-m connlimit --connlimit-above 4294967295;=;OK 161+-m connlimit --connlimit-above 4294967296;;FAIL 162+-m connlimit --connlimit-above -1;;FAIL 163+-m connlimit --connlimit-upto 1 --conlimit-above 1;;FAIL 164+-m connlimit --connlimit-above 10 --connlimit-saddr;-m connlimit --connlimit-above 10 --connlimit-mask 128 --connlimit-saddr;OK 165+-m connlimit --connlimit-above 10 --connlimit-daddr;-m connlimit --connlimit-above 10 --connlimit-mask 128 --connlimit-daddr;OK 166+-m connlimit --connlimit-above 10 --connlimit-saddr --connlimit-daddr;;FAIL 167+-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr;=;OK 168+-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-daddr;=;OK 169+-m connlimit;;FAIL 170diff --git a/extensions/libip6t_icmp6.t b/extensions/libip6t_icmp6.t 171index 028cfc1..73c42e7 100644 172--- a/extensions/libip6t_icmp6.t 173+++ b/extensions/libip6t_icmp6.t 174@@ -4,3 +4,8 @@ 175 -p ipv6-icmp -m icmp6 --icmpv6-type 2;=;OK 176 # cannot use option twice: 177 -p ipv6-icmp -m icmp6 --icmpv6-type no-route --icmpv6-type packet-too-big;;FAIL 178+-p ipv6-icmp -m icmp6 ! --icmpv6-type 2;=;OK 179+-p ipv6-icmp -m icmp6 --icmpv6-type router;;FAIL 180+-p ipv6-icmp -m icmp6 --icmpv6-type -1;;FAIL 181+-p ipv6-icmp -m icmp6 --icmpv6-type 1/65536;;FAIL 182+-p ipv6-icmp -h;;OK 183diff --git a/extensions/libip6t_rt.t b/extensions/libip6t_rt.t 184index 3c7b2d9..730603e 100644 185--- a/extensions/libip6t_rt.t 186+++ b/extensions/libip6t_rt.t 187@@ -2,4 +2,10 @@ 188 -m rt --rt-type 0 --rt-segsleft 1:23 --rt-len 42 --rt-0-res;=;OK 189 -m rt --rt-type 0 ! --rt-segsleft 1:23 ! --rt-len 42 --rt-0-res;=;OK 190 -m rt ! --rt-type 1 ! --rt-segsleft 12:23 ! --rt-len 42;=;OK 191+-m rt --rt-type 0 --rt-0-addrs beef::feed --rt-0-not-strict;=;OK 192+-m rt --rt-0-addrs beef::feed;;FAIL 193+-m rt --rt-0-res;;FAIL 194+-m rt --rt-type 0 --rt-0-not-strict;;FAIL 195+-m rt --rt-type 0 --rt-0-addrs beef::wrong --rt-0-not-strict;;FAIL 196+-m rt --rt-type 0 --rt-segsleft 1:1 --rt-len 42 --rt-0-res;-m rt --rt-type 0 --rt-segsleft 1 --rt-len 42 --rt-0-res;OK 197 -m rt;=;OK 198diff --git a/extensions/libip6t_rt.txlate b/extensions/libip6t_rt.txlate 199index 6464cf9..d07ab50 100644 200--- a/extensions/libip6t_rt.txlate 201+++ b/extensions/libip6t_rt.txlate 202@@ -12,3 +12,6 @@ nft add rule ip6 filter INPUT rt type 0 rt hdrlength 22 counter drop 203 204 ip6tables-translate -A INPUT -m rt --rt-type 0 --rt-len 22 ! --rt-segsleft 26 -j ACCEPT 205 nft add rule ip6 filter INPUT rt type 0 rt seg-left != 26 rt hdrlength 22 counter accept 206+ 207+ip6tables-translate -A INPUT -m rt --rt-type 0 --rt-len 22 --rt-segsleft 1:26 -j ACCEPT 208+nft add rule ip6 filter INPUT rt type 0 rt seg-left 1-26 rt hdrlength 22 counter accept 209diff --git a/extensions/libipt_DNAT.t b/extensions/libipt_DNAT.t 210index 1c4413b..1146ef1 100644 211--- a/extensions/libipt_DNAT.t 212+++ b/extensions/libipt_DNAT.t 213@@ -13,4 +13,13 @@ 214 -p tcp -j DNAT --to-destination 1.1.1.1:1000-2000/65535;=;OK 215 -p tcp -j DNAT --to-destination 1.1.1.1:1000-2000/0;;FAIL 216 -p tcp -j DNAT --to-destination 1.1.1.1:1000-2000/65536;;FAIL 217+-p tcp -j DNAT --to-destination 1.1.1.1 --random --persistent;=;OK 218+-p tcp -j DNAT --to-destination :65535;=;OK 219+-p tcp -j DNAT --to-destination 1.1.1.1:1000;=;OK 220+-p tcp -j DNAT --to-destination 1.1.1.1:1025-65536;;FAIL 221+-p tcp -j DNAT --to-destination 1.1.1.1:1025:65535;;FAIL 222+-p tcp -j DNAT --to-destination 1.1.1.1:2000-1000;;FAIL 223+-p tcp -j DNAT --to-destination 1.1.1.a;;FAIL 224+-p tcp -j DNAT --to-destination 1.1.1.1-1.1.1.a;;FAIL 225 -j DNAT;;FAIL 226+-j DNAT -h;;OK 227diff --git a/extensions/libipt_DNAT.txlate b/extensions/libipt_DNAT.txlate 228index e88314d..5da8077 100644 229--- a/extensions/libipt_DNAT.txlate 230+++ b/extensions/libipt_DNAT.txlate 231@@ -12,3 +12,6 @@ nft add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1. 232 233 iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random --persistent 234 nft add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4 random,persistent 235+ 236+iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4:1000-2000/65535 237+nft add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4:1000-2000;65535 238diff --git a/extensions/libipt_LOG.t b/extensions/libipt_LOG.t 239index fbf5118..e3fb58f 100644 240--- a/extensions/libipt_LOG.t 241+++ b/extensions/libipt_LOG.t 242@@ -8,5 +8,6 @@ 243 -j LOG --log-prefix "test: " --log-tcp-options;=;OK 244 -j LOG --log-prefix "test: " --log-ip-options;=;OK 245 -j LOG --log-prefix "test: " --log-uid;=;OK 246+-j LOG --log-prefix "test: " --log-macdecode;=;OK 247 -j LOG --log-prefix "test: " --log-level bad;;FAIL 248 -j LOG --log-prefix;;FAIL 249diff --git a/extensions/libipt_LOG.txlate b/extensions/libipt_LOG.txlate 250index 81f64fb..ecb3304 100644 251--- a/extensions/libipt_LOG.txlate 252+++ b/extensions/libipt_LOG.txlate 253@@ -3,3 +3,12 @@ nft add rule ip filter FORWARD ip protocol tcp counter log level err 254 255 iptables-translate -A FORWARD -p tcp -j LOG --log-prefix "Random prefix" 256 nft add rule ip filter FORWARD ip protocol tcp counter log prefix \"Random prefix\" 257+ 258+iptables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid 259+nft add rule ip filter FORWARD ip protocol tcp counter log flags tcp sequence,options flags ip options flags skuid 260+ 261+iptables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid --log-macdecode 262+nft add rule ip filter FORWARD ip protocol tcp counter log flags all 263+ 264+iptables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-macdecode 265+nft add rule ip filter FORWARD ip protocol tcp counter log flags tcp sequence flags ether 266diff --git a/extensions/libipt_MASQUERADE.t b/extensions/libipt_MASQUERADE.t 267index e25d2a0..e254fa7 100644 268--- a/extensions/libipt_MASQUERADE.t 269+++ b/extensions/libipt_MASQUERADE.t 270@@ -7,3 +7,4 @@ 271 -p udp -j MASQUERADE --to-ports 1024-65535;=;OK 272 -p udp -j MASQUERADE --to-ports 1024-65536;;FAIL 273 -p udp -j MASQUERADE --to-ports -1;;FAIL 274+-j MASQUERADE --to-ports 1024;;FAIL 275diff --git a/extensions/libipt_NETMAP.t b/extensions/libipt_NETMAP.t 276index 31924b9..1a0f23b 100644 277--- a/extensions/libipt_NETMAP.t 278+++ b/extensions/libipt_NETMAP.t 279@@ -2,3 +2,4 @@ 280 *nat 281 -j NETMAP --to 1.2.3.0/24;=;OK 282 -j NETMAP --to 1.2.3.4;=;OK 283+-j NETMAP --to 1.2.3.4/33;;OK 284diff --git a/extensions/libipt_REDIRECT.t b/extensions/libipt_REDIRECT.t 285index a0fb0ed..4ea9f6e 100644 286--- a/extensions/libipt_REDIRECT.t 287+++ b/extensions/libipt_REDIRECT.t 288@@ -4,3 +4,6 @@ 289 -p udp -j REDIRECT --to-ports 42-1234;=;OK 290 -p tcp -j REDIRECT --to-ports 42-1234 --random;=;OK 291 -j REDIRECT --to-ports 42;;FAIL 292+-p tcp -j REDIRECT --to-ports -1;;FAIL 293+-p tcp -j REDIRECT --to-ports 42-65536;;FAIL 294+-j REDIRECT -h;;OK 295diff --git a/extensions/libipt_REJECT.t b/extensions/libipt_REJECT.t 296index 5b26b10..8977eb6 100644 297--- a/extensions/libipt_REJECT.t 298+++ b/extensions/libipt_REJECT.t 299@@ -7,3 +7,5 @@ 300 -j REJECT --reject-with icmp-net-prohibited;=;OK 301 -j REJECT --reject-with icmp-host-prohibited;=;OK 302 -j REJECT --reject-with icmp-admin-prohibited;=;OK 303+-j REJECT --reject-with echo-reply;;FAIL 304+-j REJECT -h;;OK 305diff --git a/extensions/libipt_SNAT.t b/extensions/libipt_SNAT.t 306index 186e1cb..e88774a 100644 307--- a/extensions/libipt_SNAT.t 308+++ b/extensions/libipt_SNAT.t 309@@ -8,4 +8,13 @@ 310 -p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65535;=;OK 311 -p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65536;;FAIL 312 -p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65535 --to-source 2.2.2.2-2.2.2.20:1025-65535;;FAIL 313+-p tcp -j SNAT --to-source 1.1.1.1 --random --random-fully --persistent;=;OK 314+-p tcp -j SNAT --to-source :65535;=;OK 315+-p tcp -j SNAT --to-source 1.1.1.1:1025;=;OK 316+-p tcp -j SNAT --to-source 1.1.1.1:1025-65536;;FAIL 317+-p tcp -j SNAT --to-source 1.1.1.1:1025:65535;;FAIL 318+-p tcp -j SNAT --to-source 1.1.1.1:65535-1025;;FAIL 319+-p tcp -j SNAT --to-source 1.1.1.a;;FAIL 320+-p tcp -j SNAT --to-source 1.1.1.1-1.1.1.a;;FAIL 321 -j SNAT;;FAIL 322+-j SNAT -h;;OK 323diff --git a/extensions/libipt_icmp.t b/extensions/libipt_icmp.t 324index f4ba65c..09771a3 100644 325--- a/extensions/libipt_icmp.t 326+++ b/extensions/libipt_icmp.t 327@@ -13,3 +13,8 @@ 328 # we accept "iptables -I INPUT -p tcp -m tcp", why not this below? 329 # ERROR: cannot load: iptables -A INPUT -p icmp -m icmp 330 # -p icmp -m icmp;=;OK 331+-p icmp -m icmp ! --icmp-type 1/0;=;OK 332+-p icmp -m icmp --icmp-type router;;FAIL 333+-p icmp -m icmp --icmp-type -1;;FAIL 334+-p icmp -m icmp --icmp-type 1/65536;;FAIL 335+-p icmp -m icmp -h;;OK 336diff --git a/extensions/libxt_iprange.t b/extensions/libxt_iprange.t 337index 6fd98be..34449f0 100644 338--- a/extensions/libxt_iprange.t 339+++ b/extensions/libxt_iprange.t 340@@ -3,9 +3,7 @@ 341 -m iprange ! --src-range 1.1.1.1-1.1.1.10;=;OK 342 -m iprange --dst-range 1.1.1.1-1.1.1.10;=;OK 343 -m iprange ! --dst-range 1.1.1.1-1.1.1.10;=;OK 344-# it shows -A INPUT -m iprange --src-range 1.1.1.1-1.1.1.1, should we support this? 345-# ERROR: should fail: iptables -A INPUT -m iprange --src-range 1.1.1.1 346-# -m iprange --src-range 1.1.1.1;;FAIL 347-# ERROR: should fail: iptables -A INPUT -m iprange --dst-range 1.1.1.1 348-#-m iprange --dst-range 1.1.1.1;;FAIL 349+-m iprange --src-range 1.1.1.1;=;OK 350+-m iprange --dst-range 1.1.1.1;=;OK 351 -m iprange;;FAIL 352+-m iprange -h;;OK 353diff --git a/extensions/libxt_limit.t b/extensions/libxt_limit.t 354index b0af653..c06f91c 100644 355--- a/extensions/libxt_limit.t 356+++ b/extensions/libxt_limit.t 357@@ -4,3 +4,11 @@ 358 -m limit --limit 1000/hour;=;OK 359 -m limit --limit 1000/day;=;OK 360 -m limit --limit 1/sec --limit-burst 1;=;OK 361+-m limit --limit 0/sec;;FAIL 362+-m limit --limit 1/bad;;FAIL 363+-m limit ! --limit 1/sec;;FAIL 364+# Rate too fast(> 10000/sec) 365+-m limit --limit 10001/second;;FAIL 366+# Default value for --limit 367+-m limit;-m limit --limit 3/hour;OK 368+-m limit -h;;OK 369diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t 370index 4313f7b..2f5f9d3 100644 371--- a/extensions/libxt_standard.t 372+++ b/extensions/libxt_standard.t 373@@ -9,3 +9,4 @@ 374 -j ACCEPT;=;OK 375 -j RETURN;=;OK 376 ! -p 0 -j ACCEPT;=;FAIL 377+-j standard -h;;OK 378diff --git a/extensions/libxt_string.t b/extensions/libxt_string.t 379index d68f099..0103eae 100644 380--- a/extensions/libxt_string.t 381+++ b/extensions/libxt_string.t 382@@ -1,18 +1,23 @@ 383 :INPUT,FORWARD,OUTPUT 384-# ERROR: cannot find: iptables -I INPUT -m string --algo bm --string "test" 385-# -m string --algo bm --string "test";=;OK 386-# ERROR: cannot find: iptables -I INPUT -m string --algo kmp --string "test") 387-# -m string --algo kmp --string "test";=;OK 388-# ERROR: cannot find: iptables -I INPUT -m string --algo kmp ! --string "test" 389-# -m string --algo kmp ! --string "test";=;OK 390-# cannot find: iptables -I INPUT -m string --algo bm --string "xxxxxxxxxxx" ....] 391-# -m string --algo bm --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";=;OK 392-# ERROR: cannot load: iptables -A INPUT -m string --algo bm --string "xxxx" 393-# -m string --algo bm --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";=;OK 394-# ERROR: cannot load: iptables -A INPUT -m string --algo bm --hexstring "|0a0a0a0a|" 395-# -m string --algo bm --hexstring "|0a0a0a0a|";=;OK 396-# ERROR: cannot find: iptables -I INPUT -m string --algo bm --from 0 --to 65535 --string "test" 397-# -m string --algo bm --from 0 --to 65535 --string "test";=;OK 398+-m string --string "test" --algo bm;=;OK 399+-m string --string "test" --algo kmp;=;OK 400+-m string ! --string "test" --algo kmp;=;OK 401+-m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;=;OK 402+-m string --algo bm --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";;FAIL 403+-m string --string "\\" --algo bm;-m string --hex-string "|5c|";OK 404+-m string --hex-string "|0a0a0a0a|" --algo bm;=;OK 405+-m string ! --hex-string "|0a0a0a0a|" --algo bm;=;OK 406+-m string --algo bm --hex-string "| 0a|";-m string --hex-string "|0a|";OK 407+-m string --algo bm --hex-string "|0a0|";;FAIL 408+-m string --algo bm --hex-string "|ww|";;FAIL 409+-m string --algo bm --hex-string "";;FAIL 410+-m string --algo bm --hex-string "|0a\\|";;FAIL 411+-m string --algo bm --hex-string "xxx\\";;FAIL 412+-m string --algo bm --hex-string "|\\";;FAIL 413+-m string --algo bm --hex-string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";;FAIL 414+-m string --string "test" --algo bm --from 1 --to 65535;=;OK 415 -m string --algo wrong;;FAIL 416 -m string --algo bm;;FAIL 417 -m string;;FAIL 418+-m string --string "test" --algo bm --to 65535 --icase;=;OK 419+-m string -h;;OK 420diff --git a/extensions/libxt_tcp.t b/extensions/libxt_tcp.t 421index b0e8006..bd6345f 100644 422--- a/extensions/libxt_tcp.t 423+++ b/extensions/libxt_tcp.t 424@@ -22,5 +22,8 @@ 425 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN;=;OK 426 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN;=;OK 427 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST;=;OK 428+-p tcp -m tcp --tcp-option 1;=;OK 429+-p tcp -m tcp --tcp-option -1;;FAIL 430+-p tcp -m tcp ! --tcp-option 1;=;OK 431 # should we accept this below? 432 -p tcp -m tcp;=;OK 433diff --git a/iptables-test.py b/iptables-test.py 434index ca5efb1..f3e96f4 100755 435--- a/iptables-test.py 436+++ b/iptables-test.py 437@@ -64,6 +64,23 @@ def delete_rule(iptables, rule, filename, lineno): 438 return 0 439 440 441+def list_rules(iptables, rule, filename, lineno): 442+ ''' 443+ list iptables rules 444+ ''' 445+ cmd = iptables + " -vvL " 446+ if " -t " in rule: 447+ cmd += " -t " + rule.split(" -t ")[1].split(" ")[0] 448+ 449+ ret = execute_cmd(cmd, filename, lineno) 450+ if ret: 451+ reason = "cannot list: " + iptables + " -vvL " + rule 452+ print_error(reason, filename, lineno) 453+ return -1 454+ 455+ return 0 456+ 457+ 458 def run_test(iptables, rule, rule_save, res, filename, lineno, netns): 459 ''' 460 Executes an unit test. Returns the output of delete_rule(). 461@@ -151,6 +168,11 @@ def run_test(iptables, rule, rule_save, res, filename, lineno, netns): 462 if netns: 463 return 0 464 465+ ret = list_rules(iptables, rule, filename, lineno) 466+ if ret < 0: 467+ delete_rule(iptables, rule, filename, lineno) 468+ return -1 469+ 470 return delete_rule(iptables, rule, filename, lineno) 471 472 def execute_cmd(cmd, filename, lineno): 473-- 4742.23.0 475 476